[Full-disclosure] [ MDVSA-2009:055 ] audacity




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:055
http://www.mandriva.com/security/
_______________________________________________________________________

Package : audacity
Date : February 25, 2009
Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0
_______________________________________________________________________

Problem Description:

A vulnerability has been identified and corrected in audacity:

Stack-based buffer overflow in the String_parse::get_nonspace_quoted
function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other
versions before 1.3.6 allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a .gro file
containing a long string (CVE-2009-0490).

The updated packages have been patched to prevent this.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0490
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
25ca1ccf01ee1a356fa5814adf4fd0c4 2008.0/i586/audacity-1.3.3-1.2mdv2008.0.i586.rpm
1878d30fc6b986b0f0c77148682305e7 2008.0/SRPMS/audacity-1.3.3-1.2mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
daaad469ca8e0677806252e565d87982 2008.0/x86_64/audacity-1.3.3-1.2mdv2008.0.x86_64.rpm
1878d30fc6b986b0f0c77148682305e7 2008.0/SRPMS/audacity-1.3.3-1.2mdv2008.0.src.rpm

Mandriva Linux 2008.1:
65f0721d62a17e29551c64e8f40b7856 2008.1/i586/audacity-1.3.4-7.2mdv2008.1.i586.rpm
2723bdc516e43dd2ec79ec4771445dfe 2008.1/SRPMS/audacity-1.3.4-7.2mdv2008.1.src.rpm

Mandriva Linux 2008.1/X86_64:
064672f5045674f7d32a45ca6b5cd842 2008.1/x86_64/audacity-1.3.4-7.2mdv2008.1.x86_64.rpm
2723bdc516e43dd2ec79ec4771445dfe 2008.1/SRPMS/audacity-1.3.4-7.2mdv2008.1.src.rpm

Mandriva Linux 2009.0:
9afc58755559aedddc72d06942d419d7 2009.0/i586/audacity-1.3.5-3.1mdv2009.0.i586.rpm
fe5863c70275c59e6013ad7b1f608aa4 2009.0/SRPMS/audacity-1.3.5-3.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
7cbad35b2e618c6c23dfa65e3921b04b 2009.0/x86_64/audacity-1.3.5-3.1mdv2009.0.x86_64.rpm
fe5863c70275c59e6013ad7b1f608aa4 2009.0/SRPMS/audacity-1.3.5-3.1mdv2009.0.src.rpm

Corporate 3.0:
96055ded4f5c3648e6253e2297ffa3e3 corporate/3.0/i586/audacity-1.2.0-1.2.C30mdk.i586.rpm
39069c92f797b62d042c2e66af1eeaa0 corporate/3.0/SRPMS/audacity-1.2.0-1.2.C30mdk.src.rpm

Corporate 3.0/X86_64:
ec8b562cc728084b80262275ecd585df corporate/3.0/x86_64/audacity-1.2.0-1.2.C30mdk.x86_64.rpm
39069c92f797b62d042c2e66af1eeaa0 corporate/3.0/SRPMS/audacity-1.2.0-1.2.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJpWuqmqjQ0CJFipgRAnUYAJoCYFfDormTMMUllD7S1/Cb0pBCxwCfT4dQ
cbNPFHXPtSLFK5R1ZHB7jlk=
=rwrI
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [Full-disclosure] [ MDVSA-2010:073-1 ] cups
    ... Use-after-free vulnerability in the abstract file-descriptor handling ... scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers ... The updated packages have been patched to correct these issues. ... Packages for Mandriva Linux 2010.0 was missing with ...
    (Full-Disclosure)
  • [Full-disclosure] [ MDVSA-2010:084 ] java-1.6.0-openjdk
    ... Multiple Java OpenJDK security vulnerabilities has been identified ... CMM readMabCurveData Buffer Overflow Vulnerability. ... Packages for 2009.0 are provided due to the Extended Maintenance ... Mandriva Linux 2009.0/X86_64: ...
    (Full-Disclosure)
  • [ MDVSA-2010:084 ] java-1.6.0-openjdk
    ... Multiple Java OpenJDK security vulnerabilities has been identified ... CMM readMabCurveData Buffer Overflow Vulnerability. ... Packages for 2009.0 are provided due to the Extended Maintenance ... Mandriva Linux 2009.0/X86_64: ...
    (Bugtraq)
  • [ MDVSA-2010:073-1 ] cups
    ... Use-after-free vulnerability in the abstract file-descriptor handling ... scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers ... The updated packages have been patched to correct these issues. ... Packages for Mandriva Linux 2010.0 was missing with ...
    (Bugtraq)
  • [Full-disclosure] [ MDKSA-2007:079-1 ] - Updated xorg-x11/XFree86 packages fix i
    ... Local exploitation of a memory corruption vulnerability in the X.Org ... Updated packages are patched to address these issues. ... Packages for Mandriva Linux 2007.1 are now available. ...
    (Full-Disclosure)