Bugzilla – Bug 793860
VUL-0: CVE-2012-6303: snack: heap-based buffer overflow in GetWavHeader() function
Last modified: 2017-11-15 15:34:54 UTC
A secunia advisory reported [1] an issue in snack. There is also a demo PoC available from exploit db [2]. [1] http://secunia.com/advisories/49889/ [2] http://www.exploit-db.com/exploits/19772/
Looking further into this I think it also got an official CVE assigned. It's CVE-2012-6303.
Created attachment 516943 [details] Proposed patch Here's a patch proposal, which I also sent upstream for review. It fixes three potential buffer overflows in GetWavHeader(), but some of the other Get*Header() functions in jkSoundFile.c appear to suffer from the same problems although they weren't mentioned by secunia.
Here's a script to reproduce the crash with the help of the crafted wav file from exploit-db: --- snip --- #!/usr/bin/tclsh package require sound snack::sound -file crafted.wav --- snap --- This only tests for the overflow fixed by the 2nd chunk of my patch, but if needed, I can also create files to exploit the other two.
Security team, do we want to dig into the other formats (Comment #3) as well? Most of them seem to be quite uncommon these days.
This is an autogenerated message for OBS integration: This bug (793860) was mentioned in https://build.opensuse.org/request/show/145450 Maintenance /
(In reply to comment #5) > Security team, do we want to dig into the other formats (Comment #3) as well? > Most of them seem to be quite uncommon these days. If we are already about to fix something we should fully fix it (regardless of it's IIRC just openSUSE that's affected). (but other formats (if affected) would require additional CVE) Other than that: Good job! Thank you!
Fedora, Gentoo and Debian seem to use a patch that fixes this in a more generic way and for all formats at once. I'll have a further look at that one. https://bugzilla.redhat.com/attachment.cgi?id=671186
This is an autogenerated message for OBS integration: This bug (793860) was mentioned in https://build.opensuse.org/request/show/286636 13.2 / snack https://build.opensuse.org/request/show/286639 13.1 / snack
openSUSE-SU-2015:0382-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 793860 CVE References: CVE-2012-6303 Sources used: openSUSE 13.2 (src): snack-2.2.10-212.4.1 openSUSE 13.1 (src): snack-2.2.10-210.4.1
Finally fixed. Thanks for helping out.
This is an autogenerated message for OBS integration: This bug (793860) was mentioned in https://build.opensuse.org/request/show/538814 Factory / snack https://build.opensuse.org/request/show/538815 42.3 / snack https://build.opensuse.org/request/show/538816 42.2 / snack
openSUSE-SU-2017:3016-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 793860 CVE References: CVE-2012-6303 Sources used: openSUSE Leap 42.3 (src): snack-2.2.10-220.1 openSUSE Leap 42.2 (src): snack-2.2.10-217.3.1