Name: CVE-2009-0490 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0490 Assigned: 20090209 Reference: MILW0RM:7634 Reference: URL: http://www.milw0rm.com/exploits/7634 Reference: MLIST:[audacity-devel] 20090110 Audacity "String_parse::get_nonspace_quoted()" Buffer Overflow Reference: URL: http://n2.nabble.com/Audacity-%22String_parse::get_nonspace_quoted()%22-Buffer-Overflow-td2139537.html Reference: CONFIRM: http://bugs.gentoo.org/show_bug.cgi?id=253493 Reference: BID:33090 Reference: URL: http://www.securityfocus.com/bid/33090 Reference: FRSIRT:ADV-2009-0008 Reference: URL: http://www.frsirt.com/english/advisories/2009/0008 Reference: OSVDB:51070 Reference: URL: http://osvdb.org/51070 Reference: SECUNIA:33356 Reference: URL: http://secunia.com/advisories/33356 Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other versions before 1.3.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a .gro file containing a long string. Proof of concept: http://www.milw0rm.com/exploits/7634
Created audacity tracking bugs for this issue CVE-2009-0490 Affects: F10 [bug #484952] CVE-2009-0490 Affects: F9 [bug #484953] CVE-2009-0490 Affects: Fdevel [bug #484954]
The comments on the audacity-devel list indicate that lib-src/allegro has been removed in favour of the portsmf library (http://n2.nabble.com/Audacity-%22String_parse%3A%3Aget_nonspace_quoted()%22-Buffer-Overflow-tt2139537.html#none), but looking at the source package in Fedora, lib-src/allegro is definitely there, as-is the affected file. And according to their CVS, it was removed 6mos ago (http://audacity.cvs.sourceforge.net/viewvc/audacity/lib-src/allegro/strparse.cpp?hideattic=0&view=log), so I suspect that 1.3.5 is affected by this but 1.3.6 is not simply due to the removal of the affected library. Testing on Fedora 10 shows that it does an exit when using the public proof of concept noted above, but the confusing part is that it seems to exit in the same way 1.3.6 does (although I have not tested 1.3.6, this is based on the comments noted on audacity-devel). The only time things get funny is when running audacity under strace, but it's strace that does the crash: % strace audacity >out 2>&1 *** glibc detected *** strace: malloc(): memory corruption (fast): 0x00000000018ee460 *** When running under gdb, it does segfault however (Using File -> Import -> MIDI). I don't have the debuginfo packages installed on my laptop to indicate exactly where the crash is happening.
Drop the priority to moderate as this would require end-user interaction to do much of anything.
Audacity 1.3.7-beta in Fedora 9 and newer is not affected. Next time please make sure the package co-owners are put into the bugzilla CC list.