Bug 152759

Multiple buffer overflows in Sound eXchange (SoX) 12.17.2 through 12.17.4 allow
remote attackers to execute arbitrary code via certain WAV file header fields.

Info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0557
https://rhn.redhat.com/errata/RHSA-2004-409.html



------- Additional Comments From ckelley 2004-08-05 06:09:14 ----

Proposed fix:  http://www.ibnads.com/fedora_legacy/sox/



------- Additional Comments From ckelley 2004-08-05 06:25:51 ----

Sorry, forgot to include the details:

I built this against redhat 7.3 (which previously used sox-12.17.3).  It
addresses the CAN-2004-0557 issue as well as including /usr/bin/soxmix in the
%files section.  Redhat 9 ships with sox-12.17.3-11; and this seems to build
just fine on it as well.

This is my first submission to the fedora-legacy project, so any criticizm would
be most appreciated.  Thanks.



------- Additional Comments From dwb7.edu 2004-08-30 09:26:47 ----

Hi. Please make sha1sums of the rpms and srms and put these in an email signed
with your pgp key.

Thanks!



------- Additional Comments From dwb7.edu 2004-08-30 09:31:31 ----

Oh, yes. And, if you could make pkgs with the legacy name in them as well.

Thanks, again.



------- Additional Comments From dwb7.edu 2004-08-30 09:43:59 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Build packages for RH7.3 using included patch in the bug report:

f8a578a1facbae53395ed5554b44e32642cd2e74 *sox-12.17.3-4.legacy.i386.rpm
88b4b394be16b95278af1372afaee6255132d598 *sox-12.17.3-4.legacy.src.rpm
26630d166650479e951567bb3ef120bd2db439cc *sox-devel-12.17.3-4.legacy.i386.rpm

download from 
http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/sox

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBM4NiSY7s7uPf/IURAlrcAKCGB2asiHFHOmw94bGG31lYkbuEEQCfXsvd
ZsgmEH+8J+fti5pmrm7K+xw=
=6HQd
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley 2004-08-31 10:00:07 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                                
Package builds just fine; spec file looks ok (although, it's still
missing soxmix in the %files section); the CAN patch applies nicely.
                                                                                
It fixes the hole:
 
[ink@terrence sox]$ ./exploit Bathwater.wav evil.wav /bin/bash
[+] Sox Exploiter by Rosiello Security
[+] Opened Bathwater.wav size : 42829964
[+] Coded by rave & Angelo Rosiello
[+] Writing evil code into evil.wav
[+] Org sizefield = 0 new sizefield = 258
[+] Overflowing the buffer with 128 Bytes
[+] Executing /usr/bin/sox
[+] Connecting to localhost
[-] Exploit failed
[ink@terrence sox]$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBNNihyQ+yTHz+jJkRAlHmAKCJIKdLvXbq9pIZ4AWaSZkxLmE/FACgj5Q0
SxgZN1X50Fzhr2HI0VM0NM8=
=1z/B
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley 2004-08-31 11:12:28 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
This looks good to PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBNOlsyQ+yTHz+jJkRAjtBAJ95P2jLRp8jQ3bDwv06t/iYo86MGgCeJdLC
XA/1aTpRE9HluxjC5Acrm5A=
=xSKI
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-09-10 07:23:39 ----

Note: above report does not include sha1sums, not usable.



------- Additional Comments From marcdeslauriers 2004-09-12 17:24:13 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA testing on the 7.3 package:

88b4b394be16b95278af1372afaee6255132d598 *sox-12.17.3-4.legacy.src.rpm

- - Sources match previous release
- - Patch matches RHEL patch
- - Spec file looks good
- - Builds and installs OK

My only comment is we should name this sox-12.17.3-4.1.legacy.src.rpm so we get
a release tag in there...

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBRRLuLMAs/0C4zNoRAq+rAKCss282RAWPYEhfk+N2bkwuKep9qgCdEd94
v09DeoGxirnMyKS/xrCiyOQ=
=LQ1S
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-09-12 17:24:56 ----

sox for rh9 has an additional patch. I'll upload some rpms for it in a few minutes.



------- Additional Comments From marcdeslauriers 2004-09-12 17:35:37 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are some updated sox rpms for rh9:

Changelog:
* Sun Sep 12 2004 Marc Deslauriers <marcdeslauriers>
12.17.3-11.1.legacy
- - Added CAN-2004-0557 security patch

4149936e22aa06bbb6dc692699ed5dfe627d4d3e  sox-12.17.3-11.1.legacy.i386.rpm
21719e57377d29060a7ba74344a135e944d58d25  sox-12.17.3-11.1.legacy.src.rpm
3931803519706717b7e446ffe9246a69e3b80b6f  sox-devel-12.17.3-11.1.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/sox-12.17.3-11.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/sox-12.17.3-11.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/sox-devel-12.17.3-11.1.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBRRWOLMAs/0C4zNoRAmLOAKCai6pEX2bV1RmMNLAp4qbHpPwmlwCglrhP
cB7OTMlFmhSe30lZRBaarOU=
=6DXT
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley 2004-09-28 12:03:57 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
88b4b394be16b95278af1372afaee6255132d598  sox-12.17.3-4.legacy.src.rpm
 
Package builds just fine; spec file looks ok (although, it's still
missing soxmix in the %files section); the CAN patch applies nicely.
 
It fixes the hole:
 
$ ./exploit Bathwater.wav evil.wav /bin/bash
[+] Sox Exploiter by Rosiello Security
[+] Opened Bathwater.wav size : 42829964
[+] Coded by rave & Angelo Rosiello
[+] Writing evil code into evil.wav
[+] Org sizefield = 0 new sizefield = 258
[+] Overflowing the buffer with 128 Bytes
[+] Executing /usr/bin/sox
[+] Connecting to localhost
[-] Exploit failed
$
 
(re-posting with SHA1 sum)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBWd+4yQ+yTHz+jJkRAlsGAJ9mj4AkZVn5TVQemVRnb4Q7R0g2yQCfZikb
a8A5Us6y+Y43UBVgMoVO0As=
=lmbR
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-21 16:16:18 ----

Red Hat 7.3 packages will be renamed sox-12.17.3-4.1.legacy.src.rpm when we
build for updates-testing.

What is missing now is RH9 QA.




------- Additional Comments From pekkas 2004-12-15 22:49:57 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                       
QA of RHL9 SRPM with rpm-build-compare.sh:
 - original sources OK
 - spec file changes trivial and straightforward
 - patch taken directly from the RHEL3 update
                                                                               
                       
+PUBLISH (RHL9)
                                                                               
                       
21719e57377d29060a7ba74344a135e944d58d25  sox-12.17.3-11.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
                                                                               
                       
iD8DBQFBwUv0GHbTkzxSL7QRAhdrAKCpn3qV1ix6FmnIeC2fWBeIxAopswCgnxpH
nPWO9GAGB6DFUP1gHmBgmi4=
=niGI
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-02-04 16:26:43 ----

Packages were built and pushed to updates-testing.



------- Additional Comments From mschout 2005-02-05 14:31:34 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Redhat 7.3:

5e0a7fa217885c997e7172017a61ee70ac2301b6 sox-12.17.3-4.1.legacy.i386.rpm
0f383f050988875f273e15d9c0aadd802d88001f sox-devel-12.17.3-4.1.legacy.i386.rpm

* rpm --checksig:
  sox-12.17.3-4.1.legacy.i386.rpm: md5 gpg OK
  sox-devel-12.17.3-4.1.legacy.i386.rpm: md5 gpg OK
* signed by secnotice with valid GPG signature.
* packages install with no errors.
* appears to work normally.  Converted .wav to .au and it  worked as
  expected.  Both files play and sound the same.

+VERIFY RHL7.3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCBWVF+CqvSzp9LOwRAo2aAKCZ8TrMpzJPDUMbH0obbpuvbizXeQCgvVE6
EFVfP96R9LNaDd08mB+1rHA=
=uU4y
-----END PGP SIGNATURE-----




------- Additional Comments From mgerber 2005-02-17 10:01:18 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* sha1sums:
  5e0a7fa217885c997e7172017a61ee70ac2301b6  sox-12.17.3-4.1.legacy.i386.rpm
  0f383f050988875f273e15d9c0aadd802d88001f  sox-devel-12.17.3-4.1.legacy.i386.rpm
* rpm --checksig *.rpm
  sox-12.17.3-4.1.legacy.i386.rpm: md5 gpg OK
  sox-devel-12.17.3-4.1.legacy.i386.rpm: md5 gpg OK
* no errors during install
* no errors while converting and downsampling a test sample

VERIFY RHL73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCFPdNMNEywxI1brERAgNKAJ9anhrEXkoTw3IvU0I7GPV0QAbnRQCfSL6A
yYiMqLhcbd5mRhon/27iIwOIPwMFAUIU900KOzD6Y3lq+RECA0oAoI26WeSYjcxH
8cKO9szNTSFYgUk9AKCa8R8Mznwl2mlNm9Vlh0wgUEb1gg==
=S82l
-----END PGP SIGNATURE-----



------- Additional Comments From pekkas 2005-02-18 21:51:46 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quick QA:
 - PGP signature OK
 - installing and converting a random wav worked ok
 - http://packetstormsecurity.nl/0408-exploits/soxWAVFileBufferOverflowExploit.c
   didn't work.

+VERIFY RHL9

42f91c34c3ce2ada6f0119961f92e747d962ab43  sox-12.17.3-11.1.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCFu7EGHbTkzxSL7QRAmZ/AJ9MAOJuSs8lMBjN/Ka4mXx2lXcdegCghyNB
+Jd/CAQqp/EGaN+7ulRoEVE=
=rRJG
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-02-20 12:29:37 ----

Pushed to official updates



------- Bug moved to this database by dkl 2005-03-30 18:26 -------

This bug previously known as bug 1945 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1945
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.