Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 58733

Summary: media-sound/sox buffer overflows
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: lewk, sound
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0557
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Thierry Carrez (RETIRED) gentoo-dev 2004-07-29 01:32:15 UTC 
From Fedora Core 1 advisory :

----------------------------------
Updated sox packages that fix buffer overflows in the WAV file handling code are now available.

Buffer overflows existed in the parsing of WAV file header fields. It was possible that a malicious WAV file could have caused arbitrary code to be executed when the file was played or converted.
----------------------------------

This is CAN-2004-0557.
Patch available at http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=128158
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-07-29 01:34:55 UTC 
sound team : please apply fix and bump
Comment 2 Chris White (RETIRED) gentoo-dev 2004-07-29 02:19:15 UTC 
Bumped to -r2 with patch.

Kept stable keywords as the patch is trivial and would not cause
stability to be hindered in any way.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-07-29 05:59:50 UTC 
GLSA drafted : security please review
Comment 4 Jeremy Huddleston (RETIRED) gentoo-dev 2004-07-29 11:03:11 UTC 
Thanks Chris.

I agree with him that  it is trivial and we don't need to ask the archs to rekeyword this version, but alpha has keyworded 12.17.3-r3 but was removed from 12.7.4-r1.

Alpha, pleasse test 12.7.4-r2 on your arch.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-07-30 08:02:17 UTC 
GLSA 200407-23
alpha : please remember to mark stable to benefit from the GLSA
Comment 6 Bryan Østergaard (RETIRED) gentoo-dev 2004-07-30 11:25:07 UTC 
Stable on alpha - sorry about the delay.
Comment 7 Luke Macken (RETIRED) gentoo-dev 2004-10-13 16:09:51 UTC 
*** Bug 67482 has been marked as a duplicate of this bug. ***