[SECURITY] [DLA 1695-1] sox security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1695-1] sox security update
From: Hugo Lefeuvre <hle@debian.org>
Date: Thu, 28 Feb 2019 13:49:02 +0100
Message-id: <[🔎] 20190228124902.GA16098@behemoth.owl.eu.com.local>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : sox
Version        : 14.4.1-5+deb8u2
CVE ID         : CVE-2017-15370 CVE-2017-15372 CVE-2017-15642 CVE-2017-18189
Debian Bug     : 878808, 878810, 882144, 881121

Multiple vulnerabilities have been discovered in SoX (Sound eXchange),
a sound processing program:

CVE-2017-15370

    The ImaAdpcmReadBlock function (src/wav.c) is affected by a heap buffer
    overflow. This vulnerability might be leveraged by remote attackers
    using a crafted WAV file to cause denial of service (application crash).

CVE-2017-15372

    The lsx_ms_adpcm_block_expand_i function (adpcm.c) is affected by a
    stack based buffer overflow. This vulnerability might be leveraged by
    remote attackers using a crafted audio file to cause denial of service
    (application crash).

CVE-2017-15642

    The lsx_aiffstartread function (aiff.c) is affected by a use-after-free
    vulnerability. This flaw might be leveraged by remote attackers using a
    crafted AIFF file to cause denial of service (application crash).

CVE-2017-18189

    The startread function (xa.c) is affected by a null pointer dereference
    vulnerability. This flaw might be leveraged by remote attackers using a
    crafted Maxis XA audio file to cause denial of service (application
    crash).

For Debian 8 "Jessie", these problems have been fixed in version
14.4.1-5+deb8u2.

We recommend that you upgrade your sox packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlx32H4ACgkQZYVUZx9w
0DTrYAf+Pa43RA9I4gPVN/i9lHTYuFoS7Md8PwnyuxltGIN4RAgwL9bJ0LX6bpHO
063RPWJTTkEZ5kq6M4azRd/FA2159aiBHsW4RF8tJkkMs7qfVlt6VTEySTkGz7nd
/7Exf0eH6C0HTdQ3axQMbOztbtQclw1TOcw1CmsDLFQtQUKEXcDZ/TKrcXHPYAR4
Q98Psq6FNA7o0GjInnJAcrLyuT9W2jdwJfbmOgkyCkuTj7huyFazDFtBhLlQ/yAD
jJ8V5dfJHuG301X45St4elgY601scx9s47t6+eA+kDDndChbYd4azUeQgU2FoUUL
bHk4S03ZMDJgmM3z8TSjVJTTYVtQSg==
=Qo1p
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1694-1] qemu security update
Next by Date: [SECURITY] [DLA 1697-1] bind9 security updat
Previous by thread: [SECURITY] [DLA 1694-1] qemu security update
Next by thread: [SECURITY] [DLA 1697-1] bind9 security updat
Index(es):
- Date
- Thread