Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5008 to the following vulnerability: Buffer overflow in src/src_sinc.c in Secret Rabbit Code (aka SRC or libsamplerate) before 0.1.4, when "extreme low conversion ratios" are used, allows user-assisted attackers to have an unknown impact via a crafted audio file. References: http://www.openwall.com/lists/oss-security/2008/11/03/6 http://www.mega-nerd.com/SRC/ChangeLog
Created attachment 323069 [details] src/src_sinc.c 0.13 -> 0.14 diff Only change in src/src_sinc.c between 0.13 and 0.14. I haven't looked closely whether this is over-write or over-read only.
I do not believe this bufferoverflow is something which can be triggered remotely, not even by a crafted file. Never the less I've updated F-8 and F-9 cvs to the latest upstream (F-10 and later already has that), which fixes this and is ABI compatible, and I've done builds of this: libsamplerate-0.1.4-1.fc9 Tag: dist-f9-updates-candidate: http://koji.fedoraproject.org/koji/buildinfo?buildID=69053 libsamplerate-0.1.4-1.fc8 Tag: dist-f8-updates-candidate: http://koji.fedoraproject.org/koji/buildinfo?buildID=69056 Although I do not expect any problems from these updates, given the low if any security impact of this I would prefer to see this pushed to the repo through updates-testing if pushed at all.
Hans, thanks for checking. I'll fully trust your judgement here, as you surely know the code much better as long-term maintainer of this package. If you decide to submit anyway, feel free to do it via testing first.
I'm going to close this. Current Fedora has 0.1.6 or newer, although EPEL5 has 0.1.2. However, if we do not believe this can be triggered at all, then we should not classify this as a security issue.