Audacity "String_parse::get_nonspace_quoted()" Buffer Overflow
SECUNIA ADVISORY ID:
A vulnerability has been discovered in Audacity, which can be
exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error within the
"String_parse::get_nonspace_quoted()" function in
lib-src/allegro/strparse.cpp. This can be exploited to cause a
stack-based buffer overflow by e.g. tricking a user into importing a
specially crafted *.gro file.
The vulnerability is confirmed in version 1.2.6. Other versions may
also be affected.
Do not import untrusted *.gro files.
PROVIDED AND/OR DISCOVERED BY:
While the advisory is for 1.2.6, there is no change between at least versions 1.3.5 and 1.2.6 in this function.
1.3.6 dumps the whole lib-src/allegro/ library and replaces it with lib-src/portsmf/. I don't yet know whether this bug also exists in the replacement library code (it is possible as the code has common parentage).
It seems to be only a renamed and slightly modified version of the allegro library.
In some terms it is, however strparse.cpp was significantly re-written to use std:string rather than char* arrays, and so the bug does not exist in the same way (a file with large character sequences may be memory hungry because of the allocation of large strings, and will ultimately give an error for a malformed file, but will not cause stack corruption). Thus this report does not apply to audacity 1.3.6 or the forthcoming 1.3.7 release.
Unfortunately the 1.3.6 ebuild currently in portage only works with portage 2.2 which is an unspecified long way off, otherwise stabilising that would be the obvious solution.
Richard, if you refer to portage 2.2 because of EAPI=2, be advised that portage 18.104.22.168 and later also support EAPI=2 and are stable in the tree now, so that is no blocker.
media-sound, are you ok with 1.3.6 to go stable?
*** Bug 258597 has been marked as a duplicate of this bug. ***
(In reply to comment #7)
> media-sound, are you ok with 1.3.6 to go stable?
you cc'ed the wrong herd; but its ok to get 1.3.6 stable from my pov.
Arches, please test and mark stable:
Target keywords : "amd64 hppa ppc ppc64 sparc x86"
hppa, you'll also need
(In reply to comment #9)
> you cc'ed the wrong herd; but its ok to get 1.3.6 stable from my pov.
true, my bad.
it fails configure for me on ppc64
configure: Using LOCAL libraries for PORTSMF
configure: error: Audacity requires expat to be enabled
rbu suggested we edit the ebuild with --with-expat=system but i'll leave that to the pkg owner.
Stable for HPPA.
(In reply to comment #12)
> it fails configure for me on ppc64
> configure: Using LOCAL libraries for PORTSMF
> configure: error: Audacity requires expat to be enabled
> rbu suggested we edit the ebuild with --with-expat=system but i'll leave that
> to the pkg owner.
I've updated this, thanks. However for what I understand it shouldn't change anything since there is no bundled expat; can you attach config.log if it sill fails?
ppc and ppc64 done
GLSA request filed.
GLSA 200903-03, thanks everyone, sorry about the delay.