Bug 793860 - (CVE-2012-6303) VUL-0: CVE-2012-6303: snack: heap-based buffer overflow in GetWavHeader() function
(CVE-2012-6303)
VUL-0: CVE-2012-6303: snack: heap-based buffer overflow in GetWavHeader() fun...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.2
: P2 - High : Major
: ---
Assigned To: Reinhard Max
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-11 11:12 UTC by Matthias Weckbecker
Modified: 2017-11-15 15:34 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Proposed patch (1.39 KB, patch)
2012-12-13 16:19 UTC, Reinhard Max
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-12-11 11:12:40 UTC
A secunia advisory reported [1] an issue in snack. There is also a demo PoC
available from exploit db [2].

[1] http://secunia.com/advisories/49889/
[2] http://www.exploit-db.com/exploits/19772/
Comment 1 Matthias Weckbecker 2012-12-11 11:31:40 UTC
Looking further into this I think it also got an official CVE assigned. It's
CVE-2012-6303.
Comment 3 Reinhard Max 2012-12-13 16:19:50 UTC
Created attachment 516943 [details]
Proposed patch

Here's a patch proposal, which I also sent upstream for review.

It fixes three potential buffer overflows in GetWavHeader(), but some of the other Get*Header() functions in jkSoundFile.c appear to suffer from the same problems although they weren't mentioned by secunia.
Comment 4 Reinhard Max 2012-12-13 16:42:02 UTC
Here's a script to reproduce the crash with the help of the crafted wav file from exploit-db:

--- snip ---
#!/usr/bin/tclsh
package require sound
snack::sound -file crafted.wav
--- snap ---

This only tests for the overflow fixed by the 2nd chunk of my patch, but if needed, I can also create files to exploit the other two.
Comment 5 Reinhard Max 2012-12-14 09:17:03 UTC
Security team, do we want to dig into the other formats (Comment #3) as well?
Most of them seem to be quite uncommon these days.
Comment 6 Bernhard Wiedemann 2012-12-14 10:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (793860) was mentioned in
https://build.opensuse.org/request/show/145450 Maintenance /
Comment 7 Matthias Weckbecker 2013-02-13 09:23:57 UTC
(In reply to comment #5)
> Security team, do we want to dig into the other formats (Comment #3) as well?
> Most of them seem to be quite uncommon these days.

If we are already about to fix something we should fully fix it (regardless
of it's IIRC just openSUSE that's affected).

(but other formats (if affected) would require additional CVE)

Other than that: Good job! Thank you!
Comment 8 Reinhard Max 2013-02-13 10:53:45 UTC
Fedora, Gentoo and Debian seem to use a patch that fixes this in a more generic way and for all formats at once. I'll have a further look at that one.
https://bugzilla.redhat.com/attachment.cgi?id=671186
Comment 9 Bernhard Wiedemann 2015-02-18 15:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (793860) was mentioned in
https://build.opensuse.org/request/show/286636 13.2 / snack
https://build.opensuse.org/request/show/286639 13.1 / snack
Comment 10 Swamp Workflow Management 2015-02-26 10:04:57 UTC
openSUSE-SU-2015:0382-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 793860
CVE References: CVE-2012-6303
Sources used:
openSUSE 13.2 (src):    snack-2.2.10-212.4.1
openSUSE 13.1 (src):    snack-2.2.10-210.4.1
Comment 11 Reinhard Max 2015-03-16 10:50:48 UTC
Finally fixed. Thanks for helping out.
Comment 12 Bernhard Wiedemann 2017-11-03 19:00:39 UTC
This is an autogenerated message for OBS integration:
This bug (793860) was mentioned in
https://build.opensuse.org/request/show/538814 Factory / snack
https://build.opensuse.org/request/show/538815 42.3 / snack
https://build.opensuse.org/request/show/538816 42.2 / snack
Comment 13 Swamp Workflow Management 2017-11-15 14:07:02 UTC
openSUSE-SU-2017:3016-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 793860
CVE References: CVE-2012-6303
Sources used:
openSUSE Leap 42.3 (src):    snack-2.2.10-220.1
openSUSE Leap 42.2 (src):    snack-2.2.10-217.3.1