Debian Long Term Support / LTS Security Information / 2019 / Security Information -- DLA-1899-1 faad2

Debian Security Advisory

DLA-1899-1 faad2 -- LTS security update

Date Reported:

28 Aug 2019

Affected Packages:

faad2

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 914641.
In Mitre's CVE dictionary: CVE-2018-19502, CVE-2018-20196, CVE-2018-20199, CVE-2018-20360, CVE-2019-6956, CVE-2019-15296.

More information:

Multiple vulnerabilities have been discovered in faad2, the Freeware Advanced Audio Coder:

• CVE-2018-19502

  Heap buffer overflow in the function excluded_channels (libfaad/syntax.c). This vulnerability might allow remote attackers to cause denial of service via crafted MPEG AAC data.

• CVE-2018-20196

  Stack buffer overflow in the function calculate_gain (libfaad/br_hfadj.c). This vulnerability might allow remote attackers to cause denial of service or any unspecified impact via crafted MPEG AAC data.

• CVE-2018-20199, CVE-2018-20360

  NULL pointer dereference in the function ifilter_bank (libfaad/filtbank.c). This vulnerability might allow remote attackers to cause denial of service via crafted MPEG AAC data.

• CVE-2019-6956

  Global buffer overflow in the function ps_mix_phase (libfaad/ps_dec.c). This vulnerability might allow remote attackers to cause denial of service or any other unspecified impact via crafted MPEG AAC data.

• CVE-2019-15296

  Buffer overflow in the function faad_resetbits (libfaad/bits.c). This vulnerability might allow remote attackers to cause denial of service via crafted MPEG AAC data.

For Debian 8 Jessie, these problems have been fixed in version 2.7-8+deb8u3.

We recommend that you upgrade your faad2 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS