CVE-2019-8354

CVE-2019-8354

Name

CVE-2019-8354

Description

An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Third Party Advisory	https://sourceforge.net/p/sox/bugs/319
MLIST	https://lists.debian.org/debian-lts-announce/2019/05/msg00040.html
UBUNTU	https://usn.ubuntu.com/4079-1/
UBUNTU	https://usn.ubuntu.com/4079-2/

Type

URI

Third Party Advisory

https://sourceforge.net/p/sox/bugs/319

MLIST

https://lists.debian.org/debian-lts-announce/2019/05/msg00040.html

UBUNTU

https://usn.ubuntu.com/4079-1/

UBUNTU

https://usn.ubuntu.com/4079-2/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:sound_exchange_project:sound_exchange:14.4.2:::::::*`	sound_exchange	== None	== 14.4.2

CPE URI

Source package

Min version

Max version

cpe:2.3:a:sound_exchange_project:sound_exchange:14.4.2:*:*:*:*:*:*:*

sound_exchange

== None

== 14.4.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
sox	3.13-community	14.4.2-r5	Natanael Copa <ncopa@alpinelinux.org>	fixed
sox	3.14-community	14.4.2-r5	Natanael Copa <ncopa@alpinelinux.org>	fixed
sox	3.15-community	14.4.2-r5	Natanael Copa <ncopa@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

sox

3.13-community

14.4.2-r5

Natanael Copa <ncopa@alpinelinux.org>

fixed

sox

3.14-community