Debian Security Advisory

DLA-1695-1 sox -- LTS security update

Date Reported:
28 Feb 2019
Affected Packages:
sox
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 878808, Bug 878810, Bug 882144, Bug 881121.
In Mitre's CVE dictionary: CVE-2017-15370, CVE-2017-15372, CVE-2017-15642, CVE-2017-18189.
More information:

Multiple vulnerabilities have been discovered in SoX (Sound eXchange), a sound processing program:

  • CVE-2017-15370

    The ImaAdpcmReadBlock function (src/wav.c) is affected by a heap buffer overflow. This vulnerability might be leveraged by remote attackers using a crafted WAV file to cause denial of service (application crash).

  • CVE-2017-15372

    The lsx_ms_adpcm_block_expand_i function (adpcm.c) is affected by a stack based buffer overflow. This vulnerability might be leveraged by remote attackers using a crafted audio file to cause denial of service (application crash).

  • CVE-2017-15642

    The lsx_aiffstartread function (aiff.c) is affected by a use-after-free vulnerability. This flaw might be leveraged by remote attackers using a crafted AIFF file to cause denial of service (application crash).

  • CVE-2017-18189

    The startread function (xa.c) is affected by a null pointer dereference vulnerability. This flaw might be leveraged by remote attackers using a crafted Maxis XA audio file to cause denial of service (application crash).

For Debian 8 Jessie, these problems have been fixed in version 14.4.1-5+deb8u2.

We recommend that you upgrade your sox packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS