Date: Wed, 28 Jul 2004 16:29:17 -0500 (CDT) From: Dan Nelson <dnelson@allantgroup.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/69725: Sox patch for CVE CAN-2004-0557 Message-ID: <200407282129.i6SLTHs5008686@dan.emsphone.com> Resent-Message-ID: <200407282130.i6SLUOIK013849@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 69725
>Category: ports
>Synopsis: Sox patch for CVE CAN-2004-0557
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Wed Jul 28 21:30:24 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Dan Nelson
>Release: FreeBSD 5.2-CURRENT i386
>Organization:
The Allant Group
>Environment:
System: FreeBSD dan.emsphone.com 5.2-CURRENT FreeBSD 5.2-CURRENT #344: Tue Jul 27 23:26:09 CDT 2004 zsh@dan.emsphone.com:/usr/src/sys/i386/compile/DANSMP i386
Buffer overflow when parsing .wav file headers in sox. The IFF chunks
concerned have a 2-byte size field, but sox reads them into a 256-byte
buffer.
>Description:
>How-To-Repeat:
>Fix:
Apply the following patch. Sox CVS has not yet provided an official fix;
this is from Debian's security group.
this is
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/audio/sox/Makefile,v
retrieving revision 1.26
diff -u -r1.26 Makefile
--- Makefile 20 Dec 2003 16:14:13 -0000 1.26
+++ Makefile 28 Jul 2004 21:10:22 -0000
@@ -7,7 +7,7 @@
PORTNAME= sox
PORTVERSION= 12.17.4
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= audio
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= sox
Index: files/patch-wav.c
===================================================================
RCS file: files/patch-wav.c
diff -N files/patch-wav.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/patch-wav.c 28 Jul 2004 21:08:06 -0000
@@ -0,0 +1,24 @@
+--- wav.c.old 2002-12-31 04:19:22.000000000 +0100
++++ wav.c 2004-07-18 19:25:46.000000000 +0200
+@@ -917,6 +917,10 @@
+ } else if(strncmp(magic,"ICRD",4) == 0){
+ st_readdw(ft,&len);
+ len = (len + 1) & ~1;
++ if (len > 254) {
++ fprintf(stderr, "Possible buffer overflow hack attack (ICRD)!\n");
++ exit(109);
++ }
+ st_reads(ft,text,len);
+ if (strlen(ft->comment) + strlen(text) < 254)
+ {
+@@ -926,6 +930,10 @@
+ } else if(strncmp(magic,"ISFT",4) == 0){
+ st_readdw(ft,&len);
+ len = (len + 1) & ~1;
++ if (len > 254) {
++ fprintf(stderr, "Possible buffer overflow hack attack (ISFT)!\n");
++ exit(110);
++ }
+ st_reads(ft,text,len);
+ if (strlen(ft->comment) + strlen(text) < 254)
+ {
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200407282129.i6SLTHs5008686>