Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 410809 (CVE-2012-2106)

Summary: <media-sound/csound-5.17.2 : pv_import Integer Overflow Vulnerability (CVE-2012-2106)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: proaudio, radhermit
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/48719/
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-04-04 19:04:19 UTC 
From secunia security advisory at $URL:

Description
Secunia Research has discovered a vulnerability in Csound, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an integer overflow error in the pv_import utility within the "pv_import()" function (util/pv_import.c) and can be exploited to cause a heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code, but requires tricking a user into converting a specially crafted file.

The vulnerability is confirmed in version 5.16.6. Other versions may also be affected.


Solution
Do not process files from untrusted sources.
Comment 1 Tim Harder gentoo-dev 2012-12-22 09:17:36 UTC 
@security: This can probably be closed since it should be fixed in recent versions in the tree.
Comment 2 Agostino Sarubbo gentoo-dev 2012-12-22 09:21:05 UTC 
(In reply to comment #1)
> @security: This can probably be closed since it should be fixed in recent
> versions in the tree.

which exaxtly version fixes?
Comment 3 Tim Harder gentoo-dev 2012-12-22 09:31:37 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > @security: This can probably be closed since it should be fixed in recent
> > versions in the tree.
> 
> which exaxtly version fixes?

>=5.17
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-02-13 15:46:28 UTC 
CVE-2012-2106 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2106):
  Integer overflow in the pv_import function in util/pv_import.c in Csound
  5.16.6, when converting a file, allows remote attackers to execute arbitrary
  code via a crafted file, which triggers a heap-based buffer overflow.