Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 253493 (CVE-2009-0490)

Summary: media-sound/audacity <1.3.6 Buffer overflow in String_parse::get_nonspace_quoted() (CVE-2009-0490)
Product: Gentoo Security Reporter: Matti Bickel (RETIRED) <mabi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: craig, proaudio, sound
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/33356/
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Matti Bickel (RETIRED) gentoo-dev 2009-01-02 22:32:51 UTC
From Secunia:

TITLE:
Audacity "String_parse::get_nonspace_quoted()" Buffer Overflow

SECUNIA ADVISORY ID:
SA33356

VERIFY ADVISORY:
http://secunia.com/advisories/33356/

CRITICAL:
Moderately critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
Audacity 1.x
http://secunia.com/advisories/product/12965/

DESCRIPTION:
A vulnerability has been discovered in Audacity, which can be
exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the
"String_parse::get_nonspace_quoted()" function in
lib-src/allegro/strparse.cpp. This can be exploited to cause a
stack-based buffer overflow by e.g. tricking a user into importing a
specially crafted *.gro file.

The vulnerability is confirmed in version 1.2.6. Other versions may
also be affected.

SOLUTION:
Do not import untrusted *.gro files.

PROVIDED AND/OR DISCOVERED BY:
Houssamix

ORIGINAL ADVISORY:
http://www.milw0rm.com/exploits/7634
Comment 1 Matti Bickel (RETIRED) gentoo-dev 2009-01-02 22:34:42 UTC
While the advisory is for 1.2.6, there is no change between at least versions 1.3.5 and 1.2.6 in this function.
Comment 2 Matti Bickel (RETIRED) gentoo-dev 2009-01-02 22:35:29 UTC
Update URL
Comment 3 Richard Ash 2009-01-10 22:55:18 UTC
1.3.6 dumps the whole lib-src/allegro/ library and replaces it with lib-src/portsmf/. I don't yet know whether this bug also exists in the replacement library code (it is possible as the code has common parentage).
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-01-13 16:28:19 UTC
It seems to be only a renamed and slightly modified version of the allegro library.
Comment 5 Richard Ash 2009-01-13 19:58:34 UTC
In some terms it is, however strparse.cpp was significantly re-written to use std:string rather than char* arrays, and so the bug does not exist in the same way (a file with large character sequences may be memory hungry because of the allocation of large strings, and will ultimately give an error for a malformed file, but will not cause stack corruption). Thus this report does not apply to audacity 1.3.6 or the forthcoming 1.3.7 release.

Unfortunately the 1.3.6 ebuild currently in portage only works with portage 2.2 which is an unspecified long way off, otherwise stabilising that would be the obvious solution.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-01-13 21:02:02 UTC
Richard, if you refer to portage 2.2 because of EAPI=2, be advised that portage 2.1.6.4 and later also support EAPI=2 and are stable in the tree now, so that is no blocker.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-02-04 13:34:38 UTC
media-sound, are you ok with 1.3.6 to go stable?
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-02-11 17:52:21 UTC
*** Bug 258597 has been marked as a duplicate of this bug. ***
Comment 9 Alexis Ballier gentoo-dev 2009-02-11 17:58:10 UTC
(In reply to comment #7)
> media-sound, are you ok with 1.3.6 to go stable?

you cc'ed the wrong herd; but its ok to get 1.3.6 stable from my pov.

Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-02-11 17:58:44 UTC
Arches, please test and mark stable:
=media-sound/audacity-1.3.6
Target keywords : "amd64 hppa ppc ppc64 sparc x86"

hppa, you'll also need
=media-libs/liblrdf-0.4.0
=media-libs/raptor-1.4.18
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-02-11 17:59:50 UTC
(In reply to comment #9)
> you cc'ed the wrong herd; but its ok to get 1.3.6 stable from my pov.

true, my bad.
Comment 12 Brent Baude (RETIRED) gentoo-dev 2009-02-12 16:15:40 UTC
it fails configure for me on ppc64

configure: Using LOCAL libraries for PORTSMF
configure: error: Audacity requires expat to be enabled

rbu suggested we edit the ebuild with --with-expat=system but i'll leave that to the pkg owner.
Comment 13 Jeroen Roovers gentoo-dev 2009-02-12 17:42:55 UTC
Stable for HPPA.
Comment 14 Alexis Ballier gentoo-dev 2009-02-13 07:21:26 UTC
(In reply to comment #12)
> it fails configure for me on ppc64
> 
> configure: Using LOCAL libraries for PORTSMF
> configure: error: Audacity requires expat to be enabled
> 
> rbu suggested we edit the ebuild with --with-expat=system but i'll leave that
> to the pkg owner.

I've updated this, thanks. However for what I understand it shouldn't change anything since there is no bundled expat; can you attach config.log if it sill fails?

Comment 15 Brent Baude (RETIRED) gentoo-dev 2009-02-14 17:58:08 UTC
ppc and ppc64 done
Comment 16 Markus Meier gentoo-dev 2009-02-14 20:50:59 UTC
amd64/x86 stable
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2009-02-18 16:38:41 UTC
sparc stable
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2009-03-05 20:20:07 UTC
GLSA request filed.
Comment 19 Tobias Heinlein (RETIRED) gentoo-dev 2009-03-06 22:44:54 UTC
GLSA 200903-03, thanks everyone, sorry about the delay.