Bug 8689 - tcl-snack new security issue CVE-2012-6303
: tcl-snack new security issue CVE-2012-6303
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/532544/
: has_procedure mga2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-01-14 23:38 CET by David Walser
Modified: 2013-01-24 23:32 CET (History)
3 users (show)

See Also:
Source RPM: snack-2.2.10-10.mga2.src.rpm
CVE:


Attachments

Description David Walser 2013-01-14 23:38:26 CET
Fedora has issued an advisory on January 3:
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096448.html

Patched packages uploaded for Mageia 2 and Cauldron.

Patch also checked into Mageia 1 SVN.

Note to QA: PoC http://www.exploit-db.com/exploits/19772/

Advisory:
========================

Updated snack packages fix security vulnerability:

Two vulnerabilities have been discovered in Snack Sound Toolkit, which are
caused due to missing boundary checks in the "GetWavHeader()" function
(generic/jkSoundFile.c) when parsing either format sub-chunks or unknown
sub-chunks. This can be exploited to cause a heap-based buffer overflow via
specially crafted WAV files with overly large chunk sizes specified
(CVE-2012-6303).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6303
http://secunia.com/advisories/49889/
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096448.html
========================

Updated packages in core/updates_testing:
========================
tcl-snack-2.2.10-10.1.mga2
python-snack-2.2.10-10.1.mga2

from snack-2.2.10-10.1.mga2.src.rpm
Comment 1 claire robinson 2013-01-15 11:31:39 CET
Snack has a testsuite too David, is it used here?
Comment 2 claire robinson 2013-01-15 11:53:26 CET
Testing complete mga2 64

Saved the PoC as wavesurfer.pl and created the crafted wav with
$ perl wavesurfer.pl

Before
------
$ cd /usr/share/doc/tcl-snack/
$ ./widget.tcl

Unable to play sound due to it requiring /dev/sound/dsp which I think is OSS, but running with soundwrapper corrects that.
$ soundwrapper ./widget.tcl

Opening the crafted wav causes a backtrace.

Python-snack doesn't seem affected.
$ cd /usr/share/doc/python-snack/
$ soundwrapper ./widget.py

After
-----
No backtrace
Comment 3 David Walser 2013-01-15 17:58:03 CET
(In reply to comment #1)
> Snack has a testsuite too David, is it used here?

No.
Comment 4 user7 2013-01-20 16:13:07 CET
Testing complete on mga2, i586.

Before
------
$ cd /usr/share/doc/tcl-snack/
$ ./widget.tcl
$ soundwrapper ./widget.tcl

Opening the crafted wav file causes a segmentation fault.

$ cd /usr/share/doc/python-snack/
$ soundwrapper ./widget.py
Opening the crafted wav file causes a segmentation fault also for the python version.

After
-----
No segmentation fault (for either version) when opening the crafted file.


----
Validating

No linking needed according to depcheck.

See comment 0 for SRPM & Advisory.

Could sysadmin please push from core/updates_testing to core/updates. Thank you!
Comment 5 Thomas Backlund 2013-01-24 23:32:07 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0017

Note You need to log in before you can comment on or make changes to this bug.