Red Hat Bugzilla – Bug 484951
CVE-2009-0490 audacity: stack-based buffer overflow
Last modified: 2016-03-04 05:49:30 EST
Reference: URL: http://www.milw0rm.com/exploits/7634
Reference: MLIST:[audacity-devel] 20090110 Audacity "String_parse::get_nonspace_quoted()" Buffer Overflow
Reference: URL: http://n2.nabble.com/Audacity-%22String_parse::get_nonspace_quoted()%22-Buffer-Overflow-td2139537.html
Reference: CONFIRM: http://bugs.gentoo.org/show_bug.cgi?id=253493
Reference: URL: http://www.securityfocus.com/bid/33090
Reference: URL: http://www.frsirt.com/english/advisories/2009/0008
Reference: URL: http://osvdb.org/51070
Reference: URL: http://secunia.com/advisories/33356
Stack-based buffer overflow in the String_parse::get_nonspace_quoted
function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other
versions before 1.3.6 allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a .gro file
containing a long string.
Proof of concept: http://www.milw0rm.com/exploits/7634
Created audacity tracking bugs for this issue
CVE-2009-0490 Affects: F10 [bug #484952]
CVE-2009-0490 Affects: F9 [bug #484953]
CVE-2009-0490 Affects: Fdevel [bug #484954]
The comments on the audacity-devel list indicate that lib-src/allegro has been removed in favour of the portsmf library (http://n2.nabble.com/Audacity-%22String_parse%3A%3Aget_nonspace_quoted()%22-Buffer-Overflow-tt2139537.html#none), but looking at the source package in Fedora, lib-src/allegro is definitely there, as-is the affected file. And according to their CVS, it was removed 6mos ago (http://audacity.cvs.sourceforge.net/viewvc/audacity/lib-src/allegro/strparse.cpp?hideattic=0&view=log), so I suspect that 1.3.5 is affected by this but 1.3.6 is not simply due to the removal of the affected library.
Testing on Fedora 10 shows that it does an exit when using the public proof of concept noted above, but the confusing part is that it seems to exit in the same way 1.3.6 does (although I have not tested 1.3.6, this is based on the comments noted on audacity-devel).
The only time things get funny is when running audacity under strace, but it's strace that does the crash:
% strace audacity >out 2>&1
*** glibc detected *** strace: malloc(): memory corruption (fast): 0x00000000018ee460 ***
When running under gdb, it does segfault however (Using File -> Import -> MIDI). I don't have the debuginfo packages installed on my laptop to indicate exactly where the crash is happening.
Drop the priority to moderate as this would require end-user interaction to do much of anything.
Audacity 1.3.7-beta in Fedora 9 and newer is not affected.
Next time please make sure the package co-owners are put into the bugzilla CC list.