Bug 484951 (CVE-2009-0490)

Summary: CVE-2009-0490 audacity: stack-based buffer overflow
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bugs.michael, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0490
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-21 09:59:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 484952, 484953, 484954    
Bug Blocks:    

Description Vincent Danen 2009-02-10 20:35:07 UTC 
Name: CVE-2009-0490
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0490
Assigned: 20090209
Reference: MILW0RM:7634
Reference: URL: http://www.milw0rm.com/exploits/7634
Reference: MLIST:[audacity-devel] 20090110 Audacity "String_parse::get_nonspace_quoted()" Buffer Overflow
Reference: URL: http://n2.nabble.com/Audacity-%22String_parse::get_nonspace_quoted()%22-Buffer-Overflow-td2139537.html
Reference: CONFIRM: http://bugs.gentoo.org/show_bug.cgi?id=253493
Reference: BID:33090
Reference: URL: http://www.securityfocus.com/bid/33090
Reference: FRSIRT:ADV-2009-0008
Reference: URL: http://www.frsirt.com/english/advisories/2009/0008
Reference: OSVDB:51070
Reference: URL: http://osvdb.org/51070
Reference: SECUNIA:33356
Reference: URL: http://secunia.com/advisories/33356

Stack-based buffer overflow in the String_parse::get_nonspace_quoted
function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other
versions before 1.3.6 allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a .gro file
containing a long string.

Proof of concept: http://www.milw0rm.com/exploits/7634
Comment 1 Vincent Danen 2009-02-10 20:35:36 UTC 
Created audacity tracking bugs for this issue

CVE-2009-0490 Affects: F10 [bug #484952]
CVE-2009-0490 Affects: F9 [bug #484953]
CVE-2009-0490 Affects: Fdevel [bug #484954]
Comment 2 Vincent Danen 2009-02-10 20:49:14 UTC 
The comments on the audacity-devel list indicate that lib-src/allegro has been removed in favour of the portsmf library (http://n2.nabble.com/Audacity-%22String_parse%3A%3Aget_nonspace_quoted()%22-Buffer-Overflow-tt2139537.html#none), but looking at the source package in Fedora, lib-src/allegro is definitely there, as-is the affected file.  And according to their CVS, it was removed 6mos ago (http://audacity.cvs.sourceforge.net/viewvc/audacity/lib-src/allegro/strparse.cpp?hideattic=0&view=log), so I suspect that 1.3.5 is affected by this but 1.3.6 is not simply due to the removal of the affected library.

Testing on Fedora 10 shows that it does an exit when using the public proof of concept noted above, but the confusing part is that it seems to exit in the same way 1.3.6 does (although I have not tested 1.3.6, this is based on the comments noted on audacity-devel).

The only time things get funny is when running audacity under strace, but it's strace that does the crash:

% strace audacity >out 2>&1
*** glibc detected *** strace: malloc(): memory corruption (fast): 0x00000000018ee460 ***

When running under gdb, it does segfault however (Using File -> Import -> MIDI).  I don't have the debuginfo packages installed on my laptop to indicate exactly where the crash is happening.
Comment 3 Vincent Danen 2009-02-10 21:08:36 UTC 
Drop the priority to moderate as this would require end-user interaction to do much of anything.
Comment 4 Michael Schwendt 2009-06-21 09:59:04 UTC 
Audacity 1.3.7-beta in Fedora 9 and newer is not affected.

Next time please make sure the package co-owners are put into the bugzilla CC list.