recently someone reported some vulnerabilities in Network Audio System (NAS) - v1.9.3 These vulnerabilities reported at : http://radscan.com/pipermail/nas/2013-August/001270.html and 3 fix on upstream : https://sourceforge.net/p/nas/code/288/ https://sourceforge.net/p/nas/code/287/ https://sourceforge.net/p/nas/code/289/
Created nas tracking bugs for this issue: Affects: fedora-all [bug 1006753] Affects: epel-all [bug 1006754]
Further description about the flaw is: * buffer overflow can happen at wrong display command argument * buffer overflow can happen when using getenv and not checking its size * heap overflow can happen when using getenv and not checking its size * possible buffer overflows may occur when the size of a buffer is not checked * format string vulnerability may occur in syslog() calls * possible race condition and symlink attack
Buffer Overflows please use CVE-2013-4256 Heap Overflow please use CVE-2013-4257 Format String please use CVE-2013-4258 http://www.openwall.com/lists/oss-security/2013/08/19/3
Each issue fixed with following upstream commits (in order of original upstream report): - buffer overflow can happend at wrong display command argument (server/os/utils.c: ProcessCommandLine()) Upstream fix: r287 - buffer overflow can happend at wrong display command argument (server/os/access.c: ResetHosts()) Upstream fix: r288 - buffer overflow can happend at wrong display command argument (server/os/connection.c: open_unix_socket()) Upstream fix: r288 - buffer overflow can happend at wrong display command argument (server/os/connection.c: open_isc_local()) Upstream fix: r288 - buffer overflow can happend at wrong display command argument (server/os/connection.c: open_xsight_local()) Upstream fix: r288 - buffer overflow can happend at wrong display command argument (server/os/connection.c: open_att_local()) Upstream fix: r288 - buffer overflow can happend at wrong display command argument (server/os/connection.c: open_att_svr4_local()) Upstream fix: r288 - buffer overflow can happen when using getenv and not checking its size (server/os/connection.c: CreateWellKnownSockets()) Upstream fix: r288 - buffer overflow can happen when using getenv and not checking its size (server/os/connection.c: AmoebaTCPConnectorThread()) Upstream fix: r288 - heap overflow can happen when using getenv and not checking its size (server/os/connection.c: AmoebaConnectorThread()) Upstream fix: r288 - format string vulnerability may occur in syslog() calls (server/os/aulog.c:40 osLogMsg()) Upstream fix: r285 - possible buffer overflows may occur when the size of a buffer is not checked (server/os/aulog.c:27 osLogMsg()) Upstream fix: r288 - possible race condition and symlink attack (server/os/connection.c: MNX_open_tcp_socket()) Upstream fix: r289 I raised some questions <http://radscan.com/pipermail/nas/2013-September/001316.html> regarding completeness of the fixes (possibility to read or unlink random-named file), and upstream does not rate it as a security issue. I agree with him and I consider upstream commits r285, r287, r288, and r289 as sufficient.
nas-1.9.3-9.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
nas-1.9.3-7.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
nas-1.9.3-4.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
CVE-2013-4257 was rejected and merged with CVE-2013-4256: Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4257 to the following vulnerability: Name: CVE-2013-4257 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4257 Assigned: 20130612 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2013-4256. Reason: This issue was MERGED into CVE-2013-4256 because it is the same type of vulnerability. Notes: All CVE users should reference CVE-2013-4256 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.