Bug 484951 - (CVE-2009-0490) CVE-2009-0490 audacity: stack-based buffer overflow
CVE-2009-0490 audacity: stack-based buffer overflow
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
impact=moderate,source=cve,reported=2...
: Security
Depends On: 484952 484953 484954
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-10 15:35 EST by Vincent Danen
Modified: 2016-03-04 05:49 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-21 05:59:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2009-02-10 15:35:07 EST
Name: CVE-2009-0490
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0490
Assigned: 20090209
Reference: MILW0RM:7634
Reference: URL: http://www.milw0rm.com/exploits/7634
Reference: MLIST:[audacity-devel] 20090110 Audacity "String_parse::get_nonspace_quoted()" Buffer Overflow
Reference: URL: http://n2.nabble.com/Audacity-%22String_parse::get_nonspace_quoted()%22-Buffer-Overflow-td2139537.html
Reference: CONFIRM: http://bugs.gentoo.org/show_bug.cgi?id=253493
Reference: BID:33090
Reference: URL: http://www.securityfocus.com/bid/33090
Reference: FRSIRT:ADV-2009-0008
Reference: URL: http://www.frsirt.com/english/advisories/2009/0008
Reference: OSVDB:51070
Reference: URL: http://osvdb.org/51070
Reference: SECUNIA:33356
Reference: URL: http://secunia.com/advisories/33356

Stack-based buffer overflow in the String_parse::get_nonspace_quoted
function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other
versions before 1.3.6 allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a .gro file
containing a long string.

Proof of concept: http://www.milw0rm.com/exploits/7634
Comment 1 Vincent Danen 2009-02-10 15:35:36 EST
Created audacity tracking bugs for this issue

CVE-2009-0490 Affects: F10 [bug #484952]
CVE-2009-0490 Affects: F9 [bug #484953]
CVE-2009-0490 Affects: Fdevel [bug #484954]
Comment 2 Vincent Danen 2009-02-10 15:49:14 EST
The comments on the audacity-devel list indicate that lib-src/allegro has been removed in favour of the portsmf library (http://n2.nabble.com/Audacity-%22String_parse%3A%3Aget_nonspace_quoted()%22-Buffer-Overflow-tt2139537.html#none), but looking at the source package in Fedora, lib-src/allegro is definitely there, as-is the affected file.  And according to their CVS, it was removed 6mos ago (http://audacity.cvs.sourceforge.net/viewvc/audacity/lib-src/allegro/strparse.cpp?hideattic=0&view=log), so I suspect that 1.3.5 is affected by this but 1.3.6 is not simply due to the removal of the affected library.

Testing on Fedora 10 shows that it does an exit when using the public proof of concept noted above, but the confusing part is that it seems to exit in the same way 1.3.6 does (although I have not tested 1.3.6, this is based on the comments noted on audacity-devel).

The only time things get funny is when running audacity under strace, but it's strace that does the crash:

% strace audacity >out 2>&1
*** glibc detected *** strace: malloc(): memory corruption (fast): 0x00000000018ee460 ***

When running under gdb, it does segfault however (Using File -> Import -> MIDI).  I don't have the debuginfo packages installed on my laptop to indicate exactly where the crash is happening.
Comment 3 Vincent Danen 2009-02-10 16:08:36 EST
Drop the priority to moderate as this would require end-user interaction to do much of anything.
Comment 4 Michael Schwendt 2009-06-21 05:59:04 EDT
Audacity 1.3.7-beta in Fedora 9 and newer is not affected.

Next time please make sure the package co-owners are put into the bugzilla CC list.

Note You need to log in before you can comment on or make changes to this bug.