|Summary:||media-sound/audacity <1.3.6 Buffer overflow in String_parse::get_nonspace_quoted() (CVE-2009-0490)|
|Product:||Gentoo Security||Reporter:||Matti Bickel (RETIRED) <mabi>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||craig, proaudio, sound|
|Package list:||Runtime testing required:||---|
Description Matti Bickel (RETIRED) 2009-01-02 22:32:51 UTC
From Secunia: TITLE: Audacity "String_parse::get_nonspace_quoted()" Buffer Overflow SECUNIA ADVISORY ID: SA33356 VERIFY ADVISORY: http://secunia.com/advisories/33356/ CRITICAL: Moderately critical IMPACT: System access WHERE: From remote SOFTWARE: Audacity 1.x http://secunia.com/advisories/product/12965/ DESCRIPTION: A vulnerability has been discovered in Audacity, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "String_parse::get_nonspace_quoted()" function in lib-src/allegro/strparse.cpp. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into importing a specially crafted *.gro file. The vulnerability is confirmed in version 1.2.6. Other versions may also be affected. SOLUTION: Do not import untrusted *.gro files. PROVIDED AND/OR DISCOVERED BY: Houssamix ORIGINAL ADVISORY: http://www.milw0rm.com/exploits/7634
Comment 1 Matti Bickel (RETIRED) 2009-01-02 22:34:42 UTC
While the advisory is for 1.2.6, there is no change between at least versions 1.3.5 and 1.2.6 in this function.
Comment 2 Matti Bickel (RETIRED) 2009-01-02 22:35:29 UTC
Comment 3 Richard Ash 2009-01-10 22:55:18 UTC
1.3.6 dumps the whole lib-src/allegro/ library and replaces it with lib-src/portsmf/. I don't yet know whether this bug also exists in the replacement library code (it is possible as the code has common parentage).
Comment 4 Robert Buchholz (RETIRED) 2009-01-13 16:28:19 UTC
It seems to be only a renamed and slightly modified version of the allegro library.
Comment 5 Richard Ash 2009-01-13 19:58:34 UTC
In some terms it is, however strparse.cpp was significantly re-written to use std:string rather than char* arrays, and so the bug does not exist in the same way (a file with large character sequences may be memory hungry because of the allocation of large strings, and will ultimately give an error for a malformed file, but will not cause stack corruption). Thus this report does not apply to audacity 1.3.6 or the forthcoming 1.3.7 release. Unfortunately the 1.3.6 ebuild currently in portage only works with portage 2.2 which is an unspecified long way off, otherwise stabilising that would be the obvious solution.
Comment 6 Robert Buchholz (RETIRED) 2009-01-13 21:02:02 UTC
Richard, if you refer to portage 2.2 because of EAPI=2, be advised that portage 22.214.171.124 and later also support EAPI=2 and are stable in the tree now, so that is no blocker.
Comment 7 Robert Buchholz (RETIRED) 2009-02-04 13:34:38 UTC
media-sound, are you ok with 1.3.6 to go stable?
Comment 8 Robert Buchholz (RETIRED) 2009-02-11 17:52:21 UTC
*** Bug 258597 has been marked as a duplicate of this bug. ***
Comment 9 Alexis Ballier 2009-02-11 17:58:10 UTC
(In reply to comment #7) > media-sound, are you ok with 1.3.6 to go stable? you cc'ed the wrong herd; but its ok to get 1.3.6 stable from my pov.
Comment 10 Robert Buchholz (RETIRED) 2009-02-11 17:58:44 UTC
Arches, please test and mark stable: =media-sound/audacity-1.3.6 Target keywords : "amd64 hppa ppc ppc64 sparc x86" hppa, you'll also need =media-libs/liblrdf-0.4.0 =media-libs/raptor-1.4.18
Comment 11 Robert Buchholz (RETIRED) 2009-02-11 17:59:50 UTC
(In reply to comment #9) > you cc'ed the wrong herd; but its ok to get 1.3.6 stable from my pov. true, my bad.
Comment 12 Brent Baude (RETIRED) 2009-02-12 16:15:40 UTC
it fails configure for me on ppc64 configure: Using LOCAL libraries for PORTSMF configure: error: Audacity requires expat to be enabled rbu suggested we edit the ebuild with --with-expat=system but i'll leave that to the pkg owner.
Comment 13 Jeroen Roovers 2009-02-12 17:42:55 UTC
Stable for HPPA.
Comment 14 Alexis Ballier 2009-02-13 07:21:26 UTC
(In reply to comment #12) > it fails configure for me on ppc64 > > configure: Using LOCAL libraries for PORTSMF > configure: error: Audacity requires expat to be enabled > > rbu suggested we edit the ebuild with --with-expat=system but i'll leave that > to the pkg owner. I've updated this, thanks. However for what I understand it shouldn't change anything since there is no bundled expat; can you attach config.log if it sill fails?
Comment 15 Brent Baude (RETIRED) 2009-02-14 17:58:08 UTC
ppc and ppc64 done
Comment 16 Markus Meier 2009-02-14 20:50:59 UTC
Comment 17 Raúl Porcel (RETIRED) 2009-02-18 16:38:41 UTC
Comment 18 Tobias Heinlein (RETIRED) 2009-03-05 20:20:07 UTC
GLSA request filed.
Comment 19 Tobias Heinlein (RETIRED) 2009-03-06 22:44:54 UTC
GLSA 200903-03, thanks everyone, sorry about the delay.