-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : sox Version : 14.4.1-5+deb8u2 CVE ID : CVE-2017-15370 CVE-2017-15372 CVE-2017-15642 CVE-2017-18189 Debian Bug : 878808, 878810, 882144, 881121
Multiple vulnerabilities have been discovered in SoX (Sound eXchange), a sound processing program: CVE-2017-15370 The ImaAdpcmReadBlock function (src/wav.c) is affected by a heap buffer overflow. This vulnerability might be leveraged by remote attackers using a crafted WAV file to cause denial of service (application crash). CVE-2017-15372 The lsx_ms_adpcm_block_expand_i function (adpcm.c) is affected by a stack based buffer overflow. This vulnerability might be leveraged by remote attackers using a crafted audio file to cause denial of service (application crash). CVE-2017-15642 The lsx_aiffstartread function (aiff.c) is affected by a use-after-free vulnerability. This flaw might be leveraged by remote attackers using a crafted AIFF file to cause denial of service (application crash). CVE-2017-18189 The startread function (xa.c) is affected by a null pointer dereference vulnerability. This flaw might be leveraged by remote attackers using a crafted Maxis XA audio file to cause denial of service (application crash). For Debian 8 "Jessie", these problems have been fixed in version 14.4.1-5+deb8u2. We recommend that you upgrade your sox packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlx32H4ACgkQZYVUZx9w 0DTrYAf+Pa43RA9I4gPVN/i9lHTYuFoS7Md8PwnyuxltGIN4RAgwL9bJ0LX6bpHO 063RPWJTTkEZ5kq6M4azRd/FA2159aiBHsW4RF8tJkkMs7qfVlt6VTEySTkGz7nd /7Exf0eH6C0HTdQ3axQMbOztbtQclw1TOcw1CmsDLFQtQUKEXcDZ/TKrcXHPYAR4 Q98Psq6FNA7o0GjInnJAcrLyuT9W2jdwJfbmOgkyCkuTj7huyFazDFtBhLlQ/yAD jJ8V5dfJHuG301X45St4elgY601scx9s47t6+eA+kDDndChbYd4azUeQgU2FoUUL bHk4S03ZMDJgmM3z8TSjVJTTYVtQSg== =Qo1p -----END PGP SIGNATURE-----