As per $URL, MITRE has assigned CVE-2012-6303 to buffer overflow vulnerabilities in Snack which could result in user-assisted execution of arbitrary code.
*** Bug 446870 has been marked as a duplicate of this bug. ***
Created attachment 334962 [details] Script to generate the wav file
+*snack-2.2.10-r5 (09 Jan 2013) + + 09 Jan 2013; Justin Lecher <jlec@gentoo.org> +snack-2.2.10-r5.ebuild, + +files/snack-2.2.10-CVE-2012-6303-fix.patch, metadata.xml: + Add fix from Fedora for CVE-2012-6303, #446822 +
Created attachment 334964 [details] script to trigger the DOS ot check for its fix.
Its fixed now. Test scripts are attached.
(In reply to comment #5) > Its fixed now. Test scripts are attached. Thanks, Justin. Is this version ready for stabilization?
(In reply to comment #6) > (In reply to comment #5) > > Its fixed now. Test scripts are attached. > > Thanks, Justin. Is this version ready for stabilization? Only the code fix for this issue is new. So I would say yes.
Arches, please test and mark stable: =dev-tcltk/snack-2.2.10-r5
Stable for HPPA.
amd64 stable
x86 stable
ppc64 stable
ppc stable
sparc stable
alpha stable
New GLSA request filed.
This issue was resolved and addressed in GLSA 201309-04 at http://security.gentoo.org/glsa/glsa-201309-04.xml by GLSA coordinator Sergey Popov (pinkbyte).
CVE-2012-6303 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6303): Heap-based buffer overflow in the GetWavHeader function in generic/jkSoundFile.c in the Snack Sound Toolkit, as used in WaveSurfer 1.8.8p4, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large chunk size in a WAV file.
