Date: Wed, 28 Jul 2004 16:29:17 -0500 (CDT) From: Dan Nelson <dnelson@allantgroup.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/69725: Sox patch for CVE CAN-2004-0557 Message-ID: <200407282129.i6SLTHs5008686@dan.emsphone.com> Resent-Message-ID: <200407282130.i6SLUOIK013849@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 69725 >Category: ports >Synopsis: Sox patch for CVE CAN-2004-0557 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Wed Jul 28 21:30:24 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Dan Nelson >Release: FreeBSD 5.2-CURRENT i386 >Organization: The Allant Group >Environment: System: FreeBSD dan.emsphone.com 5.2-CURRENT FreeBSD 5.2-CURRENT #344: Tue Jul 27 23:26:09 CDT 2004 zsh@dan.emsphone.com:/usr/src/sys/i386/compile/DANSMP i386 Buffer overflow when parsing .wav file headers in sox. The IFF chunks concerned have a 2-byte size field, but sox reads them into a 256-byte buffer. >Description: >How-To-Repeat: >Fix: Apply the following patch. Sox CVS has not yet provided an official fix; this is from Debian's security group. this is Index: Makefile =================================================================== RCS file: /home/ncvs/ports/audio/sox/Makefile,v retrieving revision 1.26 diff -u -r1.26 Makefile --- Makefile 20 Dec 2003 16:14:13 -0000 1.26 +++ Makefile 28 Jul 2004 21:10:22 -0000 @@ -7,7 +7,7 @@ PORTNAME= sox PORTVERSION= 12.17.4 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= audio MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= sox Index: files/patch-wav.c =================================================================== RCS file: files/patch-wav.c diff -N files/patch-wav.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-wav.c 28 Jul 2004 21:08:06 -0000 @@ -0,0 +1,24 @@ +--- wav.c.old 2002-12-31 04:19:22.000000000 +0100 ++++ wav.c 2004-07-18 19:25:46.000000000 +0200 +@@ -917,6 +917,10 @@ + } else if(strncmp(magic,"ICRD",4) == 0){ + st_readdw(ft,&len); + len = (len + 1) & ~1; ++ if (len > 254) { ++ fprintf(stderr, "Possible buffer overflow hack attack (ICRD)!\n"); ++ exit(109); ++ } + st_reads(ft,text,len); + if (strlen(ft->comment) + strlen(text) < 254) + { +@@ -926,6 +930,10 @@ + } else if(strncmp(magic,"ISFT",4) == 0){ + st_readdw(ft,&len); + len = (len + 1) & ~1; ++ if (len > 254) { ++ fprintf(stderr, "Possible buffer overflow hack attack (ISFT)!\n"); ++ exit(110); ++ } + st_reads(ft,text,len); + if (strlen(ft->comment) + strlen(text) < 254) + { >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200407282129.i6SLTHs5008686>