Russell O'Connor reported a buffer overflow in src/src_sinc.c related
to low conversion ratios.
Impact
======
A remote attacker could entice a user or automated system to process a
specially crafted audio file possibly leading to the execution of
arbitrary code with the privileges of the user running the application.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All libsamplerate users should upgrade to the latest version:
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
Gentoo Linux Security Advisory GLSA 200812-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: libsamplerate: User-assisted execution of arbitrary code
Date: December 02, 2008
Bugs: #237037
ID: 200812-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A buffer overflow vulnerability in libsamplerate might lead to the
execution of arbitrary code.
Background
==========
Secret Rabbit Code (aka libsamplerate) is a Sample Rate Converter for
audio.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/libsamplerate < 0.1.4 >= 0.1.4
Description
===========
Russell O'Connor reported a buffer overflow in src/src_sinc.c related
to low conversion ratios.
Impact
======
A remote attacker could entice a user or automated system to process a
specially crafted audio file possibly leading to the execution of
arbitrary code with the privileges of the user running the application.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All libsamplerate users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=media-libs/libsamplerate-0.1.4"
References
==========
[ 1 ] CVE-2008-5008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5008
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200812-05.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iQIcBAABAgAGBQJJNXMGAAoJECaaHo/OfoM5fk4P/joWxZ1/NWYs8hY5ZjLsjdeZ
8LeSEusC1cVd7at9w6ghqzkDoMlgZzBdDpZ8PaWJ8cdNl1uD30f8X/9LRmqkLxuq
MXRFoXTQZ5bLfR5D5pN7I4Bycy6Y+mIwj9mclnW32N1a5T5akiC9y+7FU8inH0p2
/ZzQr8j6EnaMRxTHCIHnkNCyQpF8Xt8yHRtWdVMx+JggPtz0K1hSaiOmvcODTy/Z
+EuQqm1Xpw0GS2ICedk4Y0s3rOPmu3Jz7glhn/l68428gu3Pvde7UkWWIuRFNKoF
o+JbkvwmnRfIaDmycxUOws1UlP2jgO2dTv1V5sobV6WRt1zGl6NMJeSHjsESvRLc
v/U5Z1DxMKFffNyRw7I0E1u7xe0fJJFdguDfzMojZh5GZu2NikYJNU6JH4Uv0zO2
HOunm0NUmUywZnTA7ZoPktsZyNyXoO/j03rDYkd+OgZKM6WmggzK3jdHZJpxJ9Fc
VYYo9PF8Ov0qZpF2rrSR6DXh+QrwvS1hQXVp8vZqBB0hrP8lsUb9CxbD6Dq8GdrW
xMcy8r4swRpJJrGSMMW5u0HxIFsbYwTggtFs+pcr//Lww5lFME5zrFlqfuqH4NHx
ccu2yW08A2rB/nk7EMf1yrTZ1wHSyX0d343W6qhf/B5bOL2VaQQ6VOS581iCdXzv
4TYQmRpe+bchxSvWblj/
=QDbm
-----END PGP SIGNATURE-----
[ reply ]