hey Ron Thanks for your quick answer and taking time on it.
On Tue, Dec 11, 2012 at 03:38:49PM +1030, Ron wrote: > > Hi, > > On Mon, Dec 10, 2012 at 09:22:30PM +0100, Salvatore Bonaccorso wrote: > > Package: wavesurfer > > Severity: important > > Tags: security > > > > Hi, > > the following vulnerability was published for wavesurfer. > > > > CVE-2012-6303[0]: > > WaveSurfer and Snack Sound Toolkit buffer overflows > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6303 > > http://security-tracker.debian.org/tracker/CVE-2012-6303 > > [1] http://www.openwall.com/lists/oss-security/2012/12/10/2 > > > > Please adjust the affected versions in the BTS as needed. > > > > p.s.: I haven't done further investigation, only reporting/forwarding > > from oss-security mailinglist. > > So far as I can see from the information available to me right now, > this isn't actually a bug in wavesurfer at all, but rather in snack. > > It seems a little bit odd that the just announced CVE ignores the > information in the advisory from July that it refers to and then > still specifically names wavesurfer (but not every other dep of > snack, which would be similarly effected). If they know something > more than the existing disclosures, then someone who has access to > their embargoed discussions will need to pass that on to me and/or > the other relevant people. > > If the "crafted .wav" is the only issue here, then wavesurfer itself > should be doing nothing to touch that itself aside from passing it > to snack for processing. Yep, this is not 100% clear to me. From the announce [1], they mention both and (multiple) buffer overflows. But if this actually turns to be only a problem from snack, you are rightonly track it against snack is the right thing. The secunia advisory explicitly mentions that the two vulnerabilities are found in snack. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6303 also only mentions snack, but wavesurfer is not shiped in Red Hat apparently. > So I guess we can close this one and just track it against snack? Yes, in case it only affects snack. Thanks for your work on wavesufer! Regards, Salvatore
signature.asc
Description: Digital signature
