Hi, On Mon, Dec 10, 2012 at 09:22:30PM +0100, Salvatore Bonaccorso wrote: > Package: wavesurfer > Severity: important > Tags: security > > Hi, > the following vulnerability was published for wavesurfer. > > CVE-2012-6303[0]: > WaveSurfer and Snack Sound Toolkit buffer overflows > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6303 > http://security-tracker.debian.org/tracker/CVE-2012-6303 > [1] http://www.openwall.com/lists/oss-security/2012/12/10/2 > > Please adjust the affected versions in the BTS as needed. > > p.s.: I haven't done further investigation, only reporting/forwarding > from oss-security mailinglist.
So far as I can see from the information available to me right now, this isn't actually a bug in wavesurfer at all, but rather in snack. It seems a little bit odd that the just announced CVE ignores the information in the advisory from July that it refers to and then still specifically names wavesurfer (but not every other dep of snack, which would be similarly effected). If they know something more than the existing disclosures, then someone who has access to their embargoed discussions will need to pass that on to me and/or the other relevant people. If the "crafted .wav" is the only issue here, then wavesurfer itself should be doing nothing to touch that itself aside from passing it to snack for processing. So I guess we can close this one and just track it against snack? Cheers, Ron -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
