| Summary: | csound new security issue CVE-2012-0270 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, fundawang, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | csound-5.11-7.mga1.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | File used for testing csound5gui | ||
|
Description
David Walser
2012-04-06 17:29:26 CEST
David Walser
2012-04-06 17:29:36 CEST
CC:
(none) =>
fundawang
David Walser
2012-04-06 17:29:47 CEST
Blocks:
(none) =>
5046
David Walser
2012-04-07 05:58:39 CEST
Blocks:
5046 =>
(none) Patched package uploaded by Funda Wang. Advisory: ======================== Updated csound packages fix security vulnerability: It was discovered that Csound contained two boundary errors that could be exploited by tricking a user into converting a malicious file, leading to a stack-based buffer overflow and the possible execution of arbitrary code. The first is in the getnum() function (util/heti_main.c) when processing a hetro file, the second is in the getnum() function (util/pv_import.c) when processing a PVOC file (CVE-2012-0270). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0270 http://support.novell.com/security/cve/CVE-2012-0270.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0270 ======================== Updated packages in core/updates_testing: ======================== csound-5.11-7.1.mga1 csound-devel-5.11-7.1.mga1 csound-python-5.11-7.1.mga1 csound-java-5.11-7.1.mga1 csound-javadoc-5.11-7.1.mga1 csound-tk-5.11-7.1.mga1 csound-gui-5.11-7.1.mga1 csound-fltk-5.11-7.1.mga1 csound-jack-5.11-7.1.mga1 csound-fluidsynth-5.11-7.1.mga1 csound-dssi-5.11-7.1.mga1 csound-osc-5.11-7.1.mga1 csound-virtual-keyboard-5.11-7.1.mga1 csound-doc-5.11-7.1.mga1 from csound-5.11-7.1.mga1.src.rpm Assignee:
bugsquad =>
qa-bugs I'm guessing the bugzilla mail to qa-bugs didn't get through for a time, so just pinging QA if you hadn't seen this one yet. If you already knew about it, sorry for the noise. Created attachment 2083 [details]
File used for testing csound5gui
Testing complete on i586 for the srpm
csound-5.11-7.mga1.src.rpm
Just testing that the attached test.csd file can be
played using the gui.
I should have mentioned, the csd file is from http://en.wikipedia.org/wiki/Csound CC:
(none) =>
davidwhodgins Apparently the fix for this CVE was incomplete and a new CVE was issued, and two other issues were found and assigned CVEs as well. Funda, could you look into fixing these? Here's a reference: http://lists.opensuse.org/opensuse-updates/2012-04/msg00057.html CC:
(none) =>
qa-bugs
David Walser
2012-04-24 02:13:30 CEST
Blocks:
(none) =>
5046 Thanks Funda. Freeze push requested and patched package uploaded for Mageia 1. Advisory: ======================== Updated csound packages fix security vulnerability: It was discovered that Csound contained two boundary errors that could be exploited by tricking a user into converting a malicious file, leading to a stack-based buffer overflow and the possible execution of arbitrary code. The first is in the getnum() function (util/heti_main.c) when processing a hetro file, the second is in the getnum() function (util/pv_import.c) when processing a PVOC file (CVE-2012-0270). An integer overflow, leading to a heap-based buffer overflow was found in pv_import utility. If a specially crafted CSV file was opened by the pv_import utility, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running pv_import (CVE-2012-2106). An integer overflow, leading to a heap-based buffer overflow was found in lpc_import utility. If a specially crafted CSV file was opened by the lpc_import utility, it could cause the application to crash or, potentially execute arbitrary code with the privileges of the user running lpc_import (CVE-2012-2107). A stack-based buffer-overflow was found in the lpc_import utility. If a specially crafted CSV file was opened by the lpc_import utility, it could cause the application to crash (CVE-2012-2108). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0270 http://support.novell.com/security/cve/CVE-2012-0270.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0270 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2108 http://lists.opensuse.org/opensuse-updates/2012-04/msg00057.html https://bugzilla.redhat.com/show_bug.cgi?id=810802 https://bugzilla.redhat.com/show_bug.cgi?id=810807 https://bugzilla.redhat.com/show_bug.cgi?id=810810 ======================== Updated packages in core/updates_testing: ======================== csound-5.11-7.2.mga1 csound-devel-5.11-7.2.mga1 csound-python-5.11-7.2.mga1 csound-java-5.11-7.2.mga1 csound-javadoc-5.11-7.2.mga1 csound-tk-5.11-7.2.mga1 csound-gui-5.11-7.2.mga1 csound-fltk-5.11-7.2.mga1 csound-jack-5.11-7.2.mga1 csound-fluidsynth-5.11-7.2.mga1 csound-dssi-5.11-7.2.mga1 csound-osc-5.11-7.2.mga1 csound-virtual-keyboard-5.11-7.2.mga1 csound-doc-5.11-7.2.mga1 from csound-5.11-7.2.mga1.src.rpm CC:
qa-bugs =>
(none) Testing complete on i586 for the srpm csound-5.11-7.2.mga1.src.rpm csound test.csd creates a playable tone.wav, and using the gui to select the test.csd plays the tone.
David Walser
2012-04-25 12:21:49 CEST
Blocks:
5046 =>
(none) There is a PoC for CVE-2012-0270 but it requires metasploit and appears to target windows versions of csound.
Just testing for problems.
Checked the utilities in csound-tk
Checked csound-gui. test.csd deafens with an annoying beep.
$ csound test.csd
Creates tone.wav
$ aplay tone.wav
Playing WAVE 'tone.wav' : Signed 16 bit Little Endian, Rate 96000 Hz, Mono
Deafens again :)
I found some problems but I haven't checked if they are regressions yet.
The GUI has a help button which lists a manual but clicking it gives an error CSDOCDIR not set. csound-gui should maybe require csound-doc, the CSDOCDIR can be set at compile time apparently.
csound-doc appears not to contain any files, which might explain the error below with matrix.tk
$ urpmf --media "Core Updates Testing" csound-doc
$
I'm not sure how to use/show the virtual-keyboard but it cswish does recognise it when it is installed..
'virtual_keyboard real time MIDI plugin for Csound'
Clicking help in matrix.tk gives an error..
invalid bareword "helpShowing"
in expression "helpShowing==0";
should be "$helpShowing" or "{helpShowing}" or "helpShowing(...)" or ...
invalid bareword "helpShowing"
in expression "helpShowing==0";
should be "$helpShowing" or "{helpShowing}" or "helpShowing(...)" or ...
(parsing expression "helpShowing==0")
invoked from within
"if {helpShowing==0} {
toplevel .hlp
wm title .hlp "Help"
text .hlp.t -relief raised -bd 2 -yscrollcommand ".hlp.s set"
..."
(procedure "doHelp" line 2)
invoked from within
"doHelp"
invoked from within
".help invoke"
("uplevel" body line 1)
invoked from within
"uplevel #0 [list $w invoke]"
(procedure "tk::ButtonUp" line 22)
invoked from within
"tk::ButtonUp .help"
(command bound to event)
These are not regressions so validating. I'll create new bugs for them. Please see comment 6 for Advisory and SRPM Could sysadmin please push from core/updates_testing to core/updates Thanks! Keywords:
(none) =>
validated_update Update pushed. Status:
NEW =>
RESOLVED |