Comment 1 Raphael Marichez (Falco) (RETIRED) 2006-04-25 00:38:43 UTC

Erik Sjölund discovered that abc2ps, a translator for ABC music
description files into PostScript, does not check the boundaries when
reading in ABC music files resulting in buffer overflows.

http://www.debian.org/security/2006/dsa-1041


i apologize if this is a dup of a confidential bug.

Comment 2 Raphael Marichez (Falco) (RETIRED) 2006-04-25 00:41:33 UTC

The patch may be available from debian sources. Don't have the time to check this atm.

Comment 3 Thierry Carrez (RETIRED) 2006-05-09 10:23:26 UTC

sound team please advise

Comment 4 Diego Elio Pettenò (RETIRED) 2006-05-09 10:35:49 UTC

Can I cry, as debian patches are always a pita? :|

I'll see what I can do in a sec...

Comment 5 Diego Elio Pettenò (RETIRED) 2006-05-09 10:38:01 UTC

Uh wait.. is that the same package? because the url refers to "abc2ps", while this bug to "abcm2ps", the version numbers are completely different...
we don't even have an abc2ps in portage.

Comment 6 Thomas Cort (RETIRED) 2006-05-09 10:46:44 UTC

(In reply to comment #2)
> sound team please advise

media-sound/abcm2ps-3.7.21 is based on abc2ps version 1.2.5. The debian patch fixes the unbounded sscanf() calls in abc2ps.c in abc2ps-1.3.3, but abcm2ps-3.7.21 (the one we have in portage) still has unbounded sscanf() calls, so it is vulnerable. As far as I can tell there is no patch for it yet, I'll work on one today.

Comment 7 Thomas Cort (RETIRED) 2006-05-09 11:00:41 UTC

(In reply to comment #5)
> it is vulnerable.

Actually it isn't. I was looking the wrong source code, sorry. Upon further inspection I found that abcm2ps only calls sscanf to read strings once and they are both bounded. Sorry for the confusion.

Comment 8 Raphael Marichez (Falco) (RETIRED) 2006-05-09 13:30:13 UTC

(In reply to comment #6)
> Actually it isn't. 

OK. So, resolved+invalid ? Sec team, confirm ?

Comment 9 Thierry Carrez (RETIRED) 2006-05-14 09:47:20 UTC

invalid then