Bug 8689 - tcl-snack new security issue CVE-2012-6303
Summary: tcl-snack new security issue CVE-2012-6303
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/532544/
Whiteboard: has_procedure mga2-64-OK MGA2-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-01-14 23:38 CET by David Walser
Modified: 2013-01-24 23:32 CET (History)
3 users (show)

See Also:
Source RPM: snack-2.2.10-10.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-01-14 23:38:26 CET 
Fedora has issued an advisory on January 3:
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096448.html

Patched packages uploaded for Mageia 2 and Cauldron.

Patch also checked into Mageia 1 SVN.

Note to QA: PoC http://www.exploit-db.com/exploits/19772/

Advisory:
========================

Updated snack packages fix security vulnerability:

Two vulnerabilities have been discovered in Snack Sound Toolkit, which are
caused due to missing boundary checks in the "GetWavHeader()" function
(generic/jkSoundFile.c) when parsing either format sub-chunks or unknown
sub-chunks. This can be exploited to cause a heap-based buffer overflow via
specially crafted WAV files with overly large chunk sizes specified
(CVE-2012-6303).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6303
http://secunia.com/advisories/49889/
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096448.html
========================

Updated packages in core/updates_testing:
========================
tcl-snack-2.2.10-10.1.mga2
python-snack-2.2.10-10.1.mga2

from snack-2.2.10-10.1.mga2.src.rpm
claire robinson 2013-01-15 01:40:32 CET

Whiteboard: (none) => has_procedure

Comment 1 claire robinson 2013-01-15 11:31:39 CET 
Snack has a testsuite too David, is it used here?
Comment 2 claire robinson 2013-01-15 11:53:26 CET 
Testing complete mga2 64

Saved the PoC as wavesurfer.pl and created the crafted wav with
$ perl wavesurfer.pl

Before
------
$ cd /usr/share/doc/tcl-snack/
$ ./widget.tcl

Unable to play sound due to it requiring /dev/sound/dsp which I think is OSS, but running with soundwrapper corrects that.
$ soundwrapper ./widget.tcl

Opening the crafted wav causes a backtrace.

Python-snack doesn't seem affected.
$ cd /usr/share/doc/python-snack/
$ soundwrapper ./widget.py

After
-----
No backtrace

Hardware: i586 => All
Whiteboard: has_procedure => has_procedure mga2-64-OK

Comment 3 David Walser 2013-01-15 17:58:03 CET 
(In reply to comment #1)
> Snack has a testsuite too David, is it used here?

No.
Comment 4 user7 2013-01-20 16:13:07 CET 
Testing complete on mga2, i586.

Before
------
$ cd /usr/share/doc/tcl-snack/
$ ./widget.tcl
$ soundwrapper ./widget.tcl

Opening the crafted wav file causes a segmentation fault.

$ cd /usr/share/doc/python-snack/
$ soundwrapper ./widget.py
Opening the crafted wav file causes a segmentation fault also for the python version.

After
-----
No segmentation fault (for either version) when opening the crafted file.


----
Validating

No linking needed according to depcheck.

See comment 0 for SRPM & Advisory.

Could sysadmin please push from core/updates_testing to core/updates. Thank you!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs, wassi
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK MGA2-32-OK

Comment 5 Thomas Backlund 2013-01-24 23:32:07 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0017

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.