Bug 810807 - (CVE-2012-2107) CVE-2012-2107 Csound: Integer overflow leading to buffer overflow in lpc_import
CVE-2012-2107 Csound: Integer overflow leading to buffer overflow in lpc_import
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 812721
Blocks: 810821
  Show dependency treegraph
Reported: 2012-04-09 04:56 EDT by Huzaifa S. Sidhpurwala
Modified: 2016-01-21 04:50 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-01-20 09:18:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Huzaifa S. Sidhpurwala 2012-04-09 04:56:47 EDT
An integer overflow, leading to a heap-based buffer overflow was found in lpc_import utility. If a specially crafted CSV file was opened by the lpc_import utility, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running lpc_import


Possible patch:
Comment 1 Huzaifa S. Sidhpurwala 2012-04-16 01:27:22 EDT
The commit date does not match the secunia advisory, but this seems to be the only commit which matches the flaw description.

coef = (MYFLT *)malloc((hdr.npoles+hdr.nvals)*sizeof(MYFLT)); would cause an integer overflow and later when data was copied into coef at:
fread(&coef[0], sizeof(MYFLT), hdr.npoles, inf); it would cause an heap-based buffer overflow as well.
Comment 2 Huzaifa S. Sidhpurwala 2012-04-16 01:30:24 EDT
Created csound tracking bugs for this issue

Affects: fedora-all [bug 812721]
Comment 3 Kurt Seifried 2012-04-16 15:33:33 EDT
Assigned CVE as per http://www.openwall.com/lists/oss-security/2012/04/16/9
Comment 4 Peter Robinson 2016-01-20 09:18:33 EST
csound 6 is in all current releases (from GA)

Note You need to log in before you can comment on or make changes to this bug.