Multiple buffer overflows in Sound eXchange (SoX) 12.17.2 through 12.17.4 allow remote attackers to execute arbitrary code via certain WAV file header fields. Info: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0557 https://rhn.redhat.com/errata/RHSA-2004-409.html ------- Additional Comments From ckelley 2004-08-05 06:09:14 ---- Proposed fix: http://www.ibnads.com/fedora_legacy/sox/ ------- Additional Comments From ckelley 2004-08-05 06:25:51 ---- Sorry, forgot to include the details: I built this against redhat 7.3 (which previously used sox-12.17.3). It addresses the CAN-2004-0557 issue as well as including /usr/bin/soxmix in the %files section. Redhat 9 ships with sox-12.17.3-11; and this seems to build just fine on it as well. This is my first submission to the fedora-legacy project, so any criticizm would be most appreciated. Thanks. ------- Additional Comments From dwb7.edu 2004-08-30 09:26:47 ---- Hi. Please make sha1sums of the rpms and srms and put these in an email signed with your pgp key. Thanks! ------- Additional Comments From dwb7.edu 2004-08-30 09:31:31 ---- Oh, yes. And, if you could make pkgs with the legacy name in them as well. Thanks, again. ------- Additional Comments From dwb7.edu 2004-08-30 09:43:59 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Build packages for RH7.3 using included patch in the bug report: f8a578a1facbae53395ed5554b44e32642cd2e74 *sox-12.17.3-4.legacy.i386.rpm 88b4b394be16b95278af1372afaee6255132d598 *sox-12.17.3-4.legacy.src.rpm 26630d166650479e951567bb3ef120bd2db439cc *sox-devel-12.17.3-4.legacy.i386.rpm download from http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/sox - -DWB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBM4NiSY7s7uPf/IURAlrcAKCGB2asiHFHOmw94bGG31lYkbuEEQCfXsvd ZsgmEH+8J+fti5pmrm7K+xw= =6HQd -----END PGP SIGNATURE----- ------- Additional Comments From ckelley 2004-08-31 10:00:07 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Package builds just fine; spec file looks ok (although, it's still missing soxmix in the %files section); the CAN patch applies nicely. It fixes the hole: [ink@terrence sox]$ ./exploit Bathwater.wav evil.wav /bin/bash [+] Sox Exploiter by Rosiello Security [+] Opened Bathwater.wav size : 42829964 [+] Coded by rave & Angelo Rosiello [+] Writing evil code into evil.wav [+] Org sizefield = 0 new sizefield = 258 [+] Overflowing the buffer with 128 Bytes [+] Executing /usr/bin/sox [+] Connecting to localhost [-] Exploit failed [ink@terrence sox]$ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBNNihyQ+yTHz+jJkRAlHmAKCJIKdLvXbq9pIZ4AWaSZkxLmE/FACgj5Q0 SxgZN1X50Fzhr2HI0VM0NM8= =1z/B -----END PGP SIGNATURE----- ------- Additional Comments From ckelley 2004-08-31 11:12:28 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This looks good to PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBNOlsyQ+yTHz+jJkRAjtBAJ95P2jLRp8jQ3bDwv06t/iYo86MGgCeJdLC XA/1aTpRE9HluxjC5Acrm5A= =xSKI -----END PGP SIGNATURE----- ------- Additional Comments From dom 2004-09-10 07:23:39 ---- Note: above report does not include sha1sums, not usable. ------- Additional Comments From marcdeslauriers 2004-09-12 17:24:13 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA testing on the 7.3 package: 88b4b394be16b95278af1372afaee6255132d598 *sox-12.17.3-4.legacy.src.rpm - - Sources match previous release - - Patch matches RHEL patch - - Spec file looks good - - Builds and installs OK My only comment is we should name this sox-12.17.3-4.1.legacy.src.rpm so we get a release tag in there... +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBRRLuLMAs/0C4zNoRAq+rAKCss282RAWPYEhfk+N2bkwuKep9qgCdEd94 v09DeoGxirnMyKS/xrCiyOQ= =LQ1S -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-09-12 17:24:56 ---- sox for rh9 has an additional patch. I'll upload some rpms for it in a few minutes. ------- Additional Comments From marcdeslauriers 2004-09-12 17:35:37 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are some updated sox rpms for rh9: Changelog: * Sun Sep 12 2004 Marc Deslauriers <marcdeslauriers> 12.17.3-11.1.legacy - - Added CAN-2004-0557 security patch 4149936e22aa06bbb6dc692699ed5dfe627d4d3e sox-12.17.3-11.1.legacy.i386.rpm 21719e57377d29060a7ba74344a135e944d58d25 sox-12.17.3-11.1.legacy.src.rpm 3931803519706717b7e446ffe9246a69e3b80b6f sox-devel-12.17.3-11.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/sox-12.17.3-11.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/sox-12.17.3-11.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/sox-devel-12.17.3-11.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBRRWOLMAs/0C4zNoRAmLOAKCai6pEX2bV1RmMNLAp4qbHpPwmlwCglrhP cB7OTMlFmhSe30lZRBaarOU= =6DXT -----END PGP SIGNATURE----- ------- Additional Comments From ckelley 2004-09-28 12:03:57 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 88b4b394be16b95278af1372afaee6255132d598 sox-12.17.3-4.legacy.src.rpm Package builds just fine; spec file looks ok (although, it's still missing soxmix in the %files section); the CAN patch applies nicely. It fixes the hole: $ ./exploit Bathwater.wav evil.wav /bin/bash [+] Sox Exploiter by Rosiello Security [+] Opened Bathwater.wav size : 42829964 [+] Coded by rave & Angelo Rosiello [+] Writing evil code into evil.wav [+] Org sizefield = 0 new sizefield = 258 [+] Overflowing the buffer with 128 Bytes [+] Executing /usr/bin/sox [+] Connecting to localhost [-] Exploit failed $ (re-posting with SHA1 sum) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBWd+4yQ+yTHz+jJkRAlsGAJ9mj4AkZVn5TVQemVRnb4Q7R0g2yQCfZikb a8A5Us6y+Y43UBVgMoVO0As= =lmbR -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-21 16:16:18 ---- Red Hat 7.3 packages will be renamed sox-12.17.3-4.1.legacy.src.rpm when we build for updates-testing. What is missing now is RH9 QA. ------- Additional Comments From pekkas 2004-12-15 22:49:57 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA of RHL9 SRPM with rpm-build-compare.sh: - original sources OK - spec file changes trivial and straightforward - patch taken directly from the RHEL3 update +PUBLISH (RHL9) 21719e57377d29060a7ba74344a135e944d58d25 sox-12.17.3-11.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBwUv0GHbTkzxSL7QRAhdrAKCpn3qV1ix6FmnIeC2fWBeIxAopswCgnxpH nPWO9GAGB6DFUP1gHmBgmi4= =niGI -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-02-04 16:26:43 ---- Packages were built and pushed to updates-testing. ------- Additional Comments From mschout 2005-02-05 14:31:34 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Redhat 7.3: 5e0a7fa217885c997e7172017a61ee70ac2301b6 sox-12.17.3-4.1.legacy.i386.rpm 0f383f050988875f273e15d9c0aadd802d88001f sox-devel-12.17.3-4.1.legacy.i386.rpm * rpm --checksig: sox-12.17.3-4.1.legacy.i386.rpm: md5 gpg OK sox-devel-12.17.3-4.1.legacy.i386.rpm: md5 gpg OK * signed by secnotice with valid GPG signature. * packages install with no errors. * appears to work normally. Converted .wav to .au and it worked as expected. Both files play and sound the same. +VERIFY RHL7.3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCBWVF+CqvSzp9LOwRAo2aAKCZ8TrMpzJPDUMbH0obbpuvbizXeQCgvVE6 EFVfP96R9LNaDd08mB+1rHA= =uU4y -----END PGP SIGNATURE----- ------- Additional Comments From mgerber 2005-02-17 10:01:18 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * sha1sums: 5e0a7fa217885c997e7172017a61ee70ac2301b6 sox-12.17.3-4.1.legacy.i386.rpm 0f383f050988875f273e15d9c0aadd802d88001f sox-devel-12.17.3-4.1.legacy.i386.rpm * rpm --checksig *.rpm sox-12.17.3-4.1.legacy.i386.rpm: md5 gpg OK sox-devel-12.17.3-4.1.legacy.i386.rpm: md5 gpg OK * no errors during install * no errors while converting and downsampling a test sample VERIFY RHL73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCFPdNMNEywxI1brERAgNKAJ9anhrEXkoTw3IvU0I7GPV0QAbnRQCfSL6A yYiMqLhcbd5mRhon/27iIwOIPwMFAUIU900KOzD6Y3lq+RECA0oAoI26WeSYjcxH 8cKO9szNTSFYgUk9AKCa8R8Mznwl2mlNm9Vlh0wgUEb1gg== =S82l -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-02-18 21:51:46 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Quick QA: - PGP signature OK - installing and converting a random wav worked ok - http://packetstormsecurity.nl/0408-exploits/soxWAVFileBufferOverflowExploit.c didn't work. +VERIFY RHL9 42f91c34c3ce2ada6f0119961f92e747d962ab43 sox-12.17.3-11.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCFu7EGHbTkzxSL7QRAmZ/AJ9MAOJuSs8lMBjN/Ka4mXx2lXcdegCghyNB +Jd/CAQqp/EGaN+7ulRoEVE= =rRJG -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-02-20 12:29:37 ---- Pushed to official updates ------- Bug moved to this database by dkl 2005-03-30 18:26 ------- This bug previously known as bug 1945 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1945 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.