SuSE has issued this advisory on March 14: http://lists.opensuse.org/opensuse-updates/2012-03/msg00027.html Cauldron is also vulnerable (we have the same version RedHat issued an update for). There is information about how to fix this in RedHat and SuSE bugzillas: https://bugzilla.novell.com/show_bug.cgi?id=749073 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0270
CC: (none) => fundawang
Blocks: (none) => 5046
Blocks: 5046 => (none)
Patched package uploaded by Funda Wang. Advisory: ======================== Updated csound packages fix security vulnerability: It was discovered that Csound contained two boundary errors that could be exploited by tricking a user into converting a malicious file, leading to a stack-based buffer overflow and the possible execution of arbitrary code. The first is in the getnum() function (util/heti_main.c) when processing a hetro file, the second is in the getnum() function (util/pv_import.c) when processing a PVOC file (CVE-2012-0270). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0270 http://support.novell.com/security/cve/CVE-2012-0270.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0270 ======================== Updated packages in core/updates_testing: ======================== csound-5.11-7.1.mga1 csound-devel-5.11-7.1.mga1 csound-python-5.11-7.1.mga1 csound-java-5.11-7.1.mga1 csound-javadoc-5.11-7.1.mga1 csound-tk-5.11-7.1.mga1 csound-gui-5.11-7.1.mga1 csound-fltk-5.11-7.1.mga1 csound-jack-5.11-7.1.mga1 csound-fluidsynth-5.11-7.1.mga1 csound-dssi-5.11-7.1.mga1 csound-osc-5.11-7.1.mga1 csound-virtual-keyboard-5.11-7.1.mga1 csound-doc-5.11-7.1.mga1 from csound-5.11-7.1.mga1.src.rpm
Assignee: bugsquad => qa-bugs
I'm guessing the bugzilla mail to qa-bugs didn't get through for a time, so just pinging QA if you hadn't seen this one yet. If you already knew about it, sorry for the noise.
Created attachment 2083 [details] File used for testing csound5gui Testing complete on i586 for the srpm csound-5.11-7.mga1.src.rpm Just testing that the attached test.csd file can be played using the gui.
I should have mentioned, the csd file is from http://en.wikipedia.org/wiki/Csound
CC: (none) => davidwhodgins
Apparently the fix for this CVE was incomplete and a new CVE was issued, and two other issues were found and assigned CVEs as well. Funda, could you look into fixing these? Here's a reference: http://lists.opensuse.org/opensuse-updates/2012-04/msg00057.html
CC: (none) => qa-bugsAssignee: qa-bugs => fundawang
Thanks Funda. Freeze push requested and patched package uploaded for Mageia 1. Advisory: ======================== Updated csound packages fix security vulnerability: It was discovered that Csound contained two boundary errors that could be exploited by tricking a user into converting a malicious file, leading to a stack-based buffer overflow and the possible execution of arbitrary code. The first is in the getnum() function (util/heti_main.c) when processing a hetro file, the second is in the getnum() function (util/pv_import.c) when processing a PVOC file (CVE-2012-0270). An integer overflow, leading to a heap-based buffer overflow was found in pv_import utility. If a specially crafted CSV file was opened by the pv_import utility, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running pv_import (CVE-2012-2106). An integer overflow, leading to a heap-based buffer overflow was found in lpc_import utility. If a specially crafted CSV file was opened by the lpc_import utility, it could cause the application to crash or, potentially execute arbitrary code with the privileges of the user running lpc_import (CVE-2012-2107). A stack-based buffer-overflow was found in the lpc_import utility. If a specially crafted CSV file was opened by the lpc_import utility, it could cause the application to crash (CVE-2012-2108). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0270 http://support.novell.com/security/cve/CVE-2012-0270.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0270 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2108 http://lists.opensuse.org/opensuse-updates/2012-04/msg00057.html https://bugzilla.redhat.com/show_bug.cgi?id=810802 https://bugzilla.redhat.com/show_bug.cgi?id=810807 https://bugzilla.redhat.com/show_bug.cgi?id=810810 ======================== Updated packages in core/updates_testing: ======================== csound-5.11-7.2.mga1 csound-devel-5.11-7.2.mga1 csound-python-5.11-7.2.mga1 csound-java-5.11-7.2.mga1 csound-javadoc-5.11-7.2.mga1 csound-tk-5.11-7.2.mga1 csound-gui-5.11-7.2.mga1 csound-fltk-5.11-7.2.mga1 csound-jack-5.11-7.2.mga1 csound-fluidsynth-5.11-7.2.mga1 csound-dssi-5.11-7.2.mga1 csound-osc-5.11-7.2.mga1 csound-virtual-keyboard-5.11-7.2.mga1 csound-doc-5.11-7.2.mga1 from csound-5.11-7.2.mga1.src.rpm
CC: qa-bugs => (none)Assignee: fundawang => qa-bugs
Testing complete on i586 for the srpm csound-5.11-7.2.mga1.src.rpm csound test.csd creates a playable tone.wav, and using the gui to select the test.csd plays the tone.
There is a PoC for CVE-2012-0270 but it requires metasploit and appears to target windows versions of csound. Just testing for problems. Checked the utilities in csound-tk Checked csound-gui. test.csd deafens with an annoying beep. $ csound test.csd Creates tone.wav $ aplay tone.wav Playing WAVE 'tone.wav' : Signed 16 bit Little Endian, Rate 96000 Hz, Mono Deafens again :) I found some problems but I haven't checked if they are regressions yet. The GUI has a help button which lists a manual but clicking it gives an error CSDOCDIR not set. csound-gui should maybe require csound-doc, the CSDOCDIR can be set at compile time apparently. csound-doc appears not to contain any files, which might explain the error below with matrix.tk $ urpmf --media "Core Updates Testing" csound-doc $ I'm not sure how to use/show the virtual-keyboard but it cswish does recognise it when it is installed.. 'virtual_keyboard real time MIDI plugin for Csound' Clicking help in matrix.tk gives an error.. invalid bareword "helpShowing" in expression "helpShowing==0"; should be "$helpShowing" or "{helpShowing}" or "helpShowing(...)" or ... invalid bareword "helpShowing" in expression "helpShowing==0"; should be "$helpShowing" or "{helpShowing}" or "helpShowing(...)" or ... (parsing expression "helpShowing==0") invoked from within "if {helpShowing==0} { toplevel .hlp wm title .hlp "Help" text .hlp.t -relief raised -bd 2 -yscrollcommand ".hlp.s set" ..." (procedure "doHelp" line 2) invoked from within "doHelp" invoked from within ".help invoke" ("uplevel" body line 1) invoked from within "uplevel #0 [list $w invoke]" (procedure "tk::ButtonUp" line 22) invoked from within "tk::ButtonUp .help" (command bound to event)
These are not regressions so validating. I'll create new bugs for them. Please see comment 6 for Advisory and SRPM Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
Update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED