CVE-2012-6303

NameCVE-2012-6303
DescriptionHeap-based buffer overflow in the GetWavHeader function in generic/jkSoundFile.c in the Snack Sound Toolkit, as used in WaveSurfer 1.8.8p4, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large chunk size in a WAV file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs695614

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
snack (PTS)buster2.2.10.20090623-dfsg-8fixed
bullseye2.2.10.20090623-dfsg-10fixed
trixie, bookworm2.2.10.20090624+dfsg-1fixed
sid2.2.10.20090624+dfsg-2fixed
wavesurfer (PTS)buster1.8.8p5-1fixed
bookworm, bullseye1.8.8p5-1.1fixed
sid, trixie1.8.8p5-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
snacksourcesqueeze2.2.10-dfsg1-9+squeeze1
snacksource(unstable)2.2.10-dfsg1-12.1low695614
wavesurfersource(unstable)(not affected)

Notes

- wavesurfer <not-affected> (originally reported in wavesurfer, but actually a bug in libsnack, see bug #695615)
http://secunia.com/advisories/49889/
https://www.openwall.com/lists/oss-security/2012/12/10/2

Search for package or bug name: Reporting problems