Bug 885893 (CVE-2012-6303)

Summary: CVE-2012-6303 tcl-snack: multiple buffer overflows
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: tcallawa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120712,reported=20121210,source=oss-security,cvss2=2.1/AV:L/AC:L/Au:N/C:N/I:N/A:P,fedora-all/tcl-snack=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 885894    
Bug Blocks:    
Attachments:
Description Flags
Proposed patch by Michael Karcher to fix CVE-2012-6303 none

Description Vincent Danen 2012-12-10 17:41:44 EST
CVE-2012-6303 was assigned by MITRE to multiple buffer overflows in WaveSurfer (not shipped) and the Snack Sound Toolkit (tcl-snack):

Disclosures:    http://www.exploit-db.com/exploits/19772/
                http://secunia.com/advisories/49889/
Product source: http://www.speech.kth.se/snack/
                http://wavesurfer.svn.sourceforge.net/viewvc/wavesurfer/trunk/wavesurfer/
                (The www.speech.kth.se site refers to "Snack v2.2.10
                 released December 01 Bug fix release" but this is
                 apparently about December 01 2004 -- not about a 2012
                 release.)

No fix is available as of yet.

Also note that the only things that use tcl-snack in Fedora is amsn and coccinella, but I couldn't find a way to change the sounds that play, which means the end user would need to download this crafted sound file from somewhere and associate it as a sound in either program somehow (possibly these IM clients will play remote sounds as well, not sure).  Also, there is a python-snack that makes use of tcl-snack, but I'm unaware of any programs that use python-snack.
Comment 1 Vincent Danen 2012-12-10 17:42:23 EST
Created tcl-snack tracking bugs for this issue

Affects: fedora-all [bug 885894]
Comment 2 John Paul Adrian Glaubitz 2013-01-01 19:22:44 EST
Created attachment 671186 [details]
Proposed patch by Michael Karcher to fix CVE-2012-6303

Hi,

I am attaching a patch created by Michael Karcher which fixes the problem. I have tested his patch on Debian with libsnack 2.2.10 and WaveSurfer 1.8.8p3, the crashes do no longer occur.

I have uploaded the updated snack package into Debian already. Please review and hopefully apply the patch in Fedora as well.

Cheers,

Adrian
Comment 3 Fedora Update System 2013-01-11 19:41:03 EST
tcl-snack-2.2.10-17.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2013-01-12 10:10:01 EST
tcl-snack-2.2.10-17.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-01-12 10:19:53 EST
tcl-snack-2.2.10-17.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.