Debian Security Advisory
DLA-1695-1 sox -- LTS security update
- Date Reported:
- 28 Feb 2019
- Affected Packages:
- sox
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 878808, Bug 878810, Bug 882144, Bug 881121.
In Mitre's CVE dictionary: CVE-2017-15370, CVE-2017-15372, CVE-2017-15642, CVE-2017-18189. - More information:
-
Multiple vulnerabilities have been discovered in SoX (Sound eXchange), a sound processing program:
- CVE-2017-15370
The ImaAdpcmReadBlock function (src/wav.c) is affected by a heap buffer overflow. This vulnerability might be leveraged by remote attackers using a crafted WAV file to cause denial of service (application crash).
- CVE-2017-15372
The lsx_ms_adpcm_block_expand_i function (adpcm.c) is affected by a stack based buffer overflow. This vulnerability might be leveraged by remote attackers using a crafted audio file to cause denial of service (application crash).
- CVE-2017-15642
The lsx_aiffstartread function (aiff.c) is affected by a use-after-free vulnerability. This flaw might be leveraged by remote attackers using a crafted AIFF file to cause denial of service (application crash).
- CVE-2017-18189
The startread function (xa.c) is affected by a null pointer dereference vulnerability. This flaw might be leveraged by remote attackers using a crafted Maxis XA audio file to cause denial of service (application crash).
For Debian 8
Jessie
, these problems have been fixed in version 14.4.1-5+deb8u2.We recommend that you upgrade your sox packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
- CVE-2017-15370