Bug 484951 (CVE-2009-0490) - CVE-2009-0490 audacity: stack-based buffer overflow
Summary: CVE-2009-0490 audacity: stack-based buffer overflow
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2009-0490
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On: 484952 484953 484954
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-10 20:35 UTC by Vincent Danen
Modified: 2019-09-29 12:28 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-06-21 09:59:04 UTC
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2009-02-10 20:35:07 UTC 
Name: CVE-2009-0490
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0490
Assigned: 20090209
Reference: MILW0RM:7634
Reference: URL: http://www.milw0rm.com/exploits/7634
Reference: MLIST:[audacity-devel] 20090110 Audacity "String_parse::get_nonspace_quoted()" Buffer Overflow
Reference: URL: http://n2.nabble.com/Audacity-%22String_parse::get_nonspace_quoted()%22-Buffer-Overflow-td2139537.html
Reference: CONFIRM: http://bugs.gentoo.org/show_bug.cgi?id=253493
Reference: BID:33090
Reference: URL: http://www.securityfocus.com/bid/33090
Reference: FRSIRT:ADV-2009-0008
Reference: URL: http://www.frsirt.com/english/advisories/2009/0008
Reference: OSVDB:51070
Reference: URL: http://osvdb.org/51070
Reference: SECUNIA:33356
Reference: URL: http://secunia.com/advisories/33356

Stack-based buffer overflow in the String_parse::get_nonspace_quoted
function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other
versions before 1.3.6 allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a .gro file
containing a long string.

Proof of concept: http://www.milw0rm.com/exploits/7634
Comment 1 Vincent Danen 2009-02-10 20:35:36 UTC 
Created audacity tracking bugs for this issue

CVE-2009-0490 Affects: F10 [bug #484952]
CVE-2009-0490 Affects: F9 [bug #484953]
CVE-2009-0490 Affects: Fdevel [bug #484954]
Comment 2 Vincent Danen 2009-02-10 20:49:14 UTC 
The comments on the audacity-devel list indicate that lib-src/allegro has been removed in favour of the portsmf library (http://n2.nabble.com/Audacity-%22String_parse%3A%3Aget_nonspace_quoted()%22-Buffer-Overflow-tt2139537.html#none), but looking at the source package in Fedora, lib-src/allegro is definitely there, as-is the affected file.  And according to their CVS, it was removed 6mos ago (http://audacity.cvs.sourceforge.net/viewvc/audacity/lib-src/allegro/strparse.cpp?hideattic=0&view=log), so I suspect that 1.3.5 is affected by this but 1.3.6 is not simply due to the removal of the affected library.

Testing on Fedora 10 shows that it does an exit when using the public proof of concept noted above, but the confusing part is that it seems to exit in the same way 1.3.6 does (although I have not tested 1.3.6, this is based on the comments noted on audacity-devel).

The only time things get funny is when running audacity under strace, but it's strace that does the crash:

% strace audacity >out 2>&1
*** glibc detected *** strace: malloc(): memory corruption (fast): 0x00000000018ee460 ***

When running under gdb, it does segfault however (Using File -> Import -> MIDI).  I don't have the debuginfo packages installed on my laptop to indicate exactly where the crash is happening.
Comment 3 Vincent Danen 2009-02-10 21:08:36 UTC 
Drop the priority to moderate as this would require end-user interaction to do much of anything.
Comment 4 Michael Schwendt 2009-06-21 09:59:04 UTC 
Audacity 1.3.7-beta in Fedora 9 and newer is not affected.

Next time please make sure the package co-owners are put into the bugzilla CC list.
Note You need to log in before you can comment on or make changes to this bug.