[Secure-testing-team] Bug#870328: sox: CVE-2017-11332 CVE-2017-11358 CVE-2017-11359
Salvatore Bonaccorso
carnil at debian.org
Tue Aug 1 05:19:46 UTC 2017
Source: sox
Version: 14.4.1-5
Severity: important
Tags: upstream security
Hi,
the following vulnerabilities were published for sox.
CVE-2017-11332[0]:
| The startread function in wav.c in Sound eXchange (SoX) 14.4.2 allows
| remote attackers to cause a denial of service (divide-by-zero error and
| application crash) via a crafted wav file.
CVE-2017-11358[1]:
| The read_samples function in hcom.c in Sound eXchange (SoX) 14.4.2
| allows remote attackers to cause a denial of service (invalid memory
| read and application crash) via a crafted hcom file.
CVE-2017-11359[2]:
| The wavwritehdr function in wav.c in Sound eXchange (SoX) 14.4.2 allows
| remote attackers to cause a denial of service (divide-by-zero error and
| application crash) via a crafted snd file, during conversion to a wav
| file.
All three affect 14.4.1-5 so commont to jessie, stretch and sid, thus
filled only one bug for all three CVEs. Please clone and reassign if
the issues cannot be fixed all at the same time.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-11332
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11332
[1] https://security-tracker.debian.org/tracker/CVE-2017-11358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11358
[2] https://security-tracker.debian.org/tracker/CVE-2017-11359
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11359
[3] http://seclists.org/fulldisclosure/2017/Jul/81
Regards,
Salvatore
More information about the Secure-testing-team
mailing list