Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484480 (CVE-2013-4256) - <media-libs/nas-1.9.4: multiple vulnerabilities (CVE-2013-{4256,4258})
Summary: <media-libs/nas-1.9.4: multiple vulnerabilities (CVE-2013-{4256,4258})
Status: RESOLVED FIXED
Alias: CVE-2013-4256
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa]
Keywords:
: 501498 (view as bug list)
Depends on:
Blocks: 495798
  Show dependency tree
 
Reported: 2013-09-10 14:12 UTC by Agostino Sarubbo
Modified: 2014-06-25 20:53 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-10 14:12:11 UTC
From ${URL} :

recently i reported some vulnerabilities in Network Audio System (NAS) -
v1.9.3

These vulnerabilities reported at :

http://radscan.com/pipermail/nas/2013-August/001270.html

and 3 fix on upstream :

https://sourceforge.net/p/nas/code/288/
https://sourceforge.net/p/nas/code/287/tree//trunk/server/os/utils.c?diff=517ad7dc2718467b12eafbad:286
https://sourceforge.net/p/nas/code/289/tree//trunk/server/os/connection.c?diff=517ad7dc2718467b12eafbad:288



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2013-10-09 16:58:50 UTC
CVE-2013-4257 was rejected and merged into CVE-2013-4256
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-10-24 00:13:00 UTC
CVE-2013-4258 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4258):
  Format string vulnerability in the osLogMsg function in server/os/aulog.c in
  Network Audio System (NAS) 1.9.3 allows remote attackers to cause a denial
  of service (crash) and possibly execute arbitrary code via format string
  specifiers in unspecified vectors, related to syslog.

CVE-2013-4256 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4256):
  Multiple stack-based and heap-based buffer overflows in Network Audio System
  (NAS) 1.9.3 allow local users to cause a denial of service (crash) or
  possibly execute arbitrary code via the (1) display command argument to the
  ProcessCommandLine function in server/os/utils.c; (2) ResetHosts function in
  server/os/access.c; (3) open_unix_socket, (4) open_isc_local, (5)
  open_xsight_local, (6) open_att_local, or (7) open_att_svr4_local function
  in server/os/connection.c; the (8) AUDIOHOST environment variable to the
  CreateWellKnownSockets or (9) AmoebaTCPConnectorThread function in
  server/os/connection.c; or (10) unspecified vectors related to logging in
  the osLogMsg function in server/os/aulog.c.
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2014-02-16 16:23:21 UTC
(In reply to Agostino Sarubbo from comment #0)
> https://sourceforge.net/p/nas/code/288/
> https://sourceforge.net/p/nas/code/287/tree//trunk/server/os/utils.
> c?diff=517ad7dc2718467b12eafbad:286
> https://sourceforge.net/p/nas/code/289/tree//trunk/server/os/connection.
> c?diff=517ad7dc2718467b12eafbad:288

I get 404 from those links.
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2014-02-16 16:40:15 UTC
*** Bug 501498 has been marked as a duplicate of this bug. ***
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2014-02-16 16:46:27 UTC
I see now that these are fixed in upstream release of 1.9.4 which is now in 
Portage.

Please test and stabilize:

=media-libs/nas-1.9.4

Also required for bug 495798.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2014-02-18 11:03:06 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2014-02-20 10:24:04 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-02-20 10:24:18 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-02-20 14:04:26 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-02-20 14:05:27 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-02-22 07:31:23 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-02-22 07:36:00 UTC
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-02-22 07:36:46 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-02-22 07:41:01 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Samuli Suominen (RETIRED) gentoo-dev 2014-04-05 19:24:25 UTC
(In reply to Agostino Sarubbo from comment #14)
> sparc stable.
> 
> Maintainer(s), please cleanup.
> Security, please add it to the existing request, or file a new one.

cleanup done
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2014-06-19 02:32:11 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-06-25 20:53:39 UTC
This issue was resolved and addressed in
 GLSA 201406-22 at http://security.gentoo.org/glsa/glsa-201406-22.xml
by GLSA coordinator Mikle Kolyada (Zlogene).