user/sox: multiple vulnerabilities
| Bugzilla ID | 166 |
| Alias(es) | CVE-2017-11332, CVE-2017-11358, CVE-2017-11359, CVE-2017-15370, CVE-2017-15371, CVE-2017-15372, CVE-2017-15642, CVE-2017-18189, CVE-2019-1010004, CVE-2019-13590, CVE-2019-8354, CVE-2019-8355, CVE-2019-8356, CVE-2019-8357 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-07-31 11:06:44 -0500 |
| Modified | 2020-03-29 02:24:40 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
Description
CVE-2017-11332: https://nvd.nist.gov/vuln/detail/CVE-2017-11332
The startread function in wav.c in Sound eXchange (SoX) 14.4.2 allows
remote attackers to cause a denial of service (divide-by-zero error
and application crash) via a crafted wav file.
CVE-2017-11358: https://nvd.nist.gov/vuln/detail/CVE-2017-11358
The read_samples function in hcom.c in Sound eXchange (SoX) 14.4.2
allows remote attackers to cause a denial of service (invalid memory
read and application crash) via a crafted hcom file.
CVE-2017-11359: https://nvd.nist.gov/vuln/detail/CVE-2017-11359
The wavwritehdr function in wav.c in Sound eXchange (SoX) 14.4.2
allows remote attackers to cause a denial of service (divide-by-zero
error and application crash) via a crafted snd file, during conversion
to a wav file.
CVE-2017-15370: https://nvd.nist.gov/vuln/detail/CVE-2017-15370
There is a heap-based buffer overflow in the ImaExpandS function of
ima_rw.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to
a denial of service attack during conversion of an audio file.
CVE-2017-15371: https://nvd.nist.gov/vuln/detail/CVE-2017-15371
There is a reachable assertion abort in the function
sox_append_comment() in formats.c in Sound eXchange (SoX) 14.4.2. A
Crafted input will lead to a denial of service attack during
conversion of an audio file.
CVE-2017-15372: https://nvd.nist.gov/vuln/detail/CVE-2017-15372
There is a stack-based buffer overflow in the
lsx_ms_adpcm_block_expand_i function of adpcm.c in Sound eXchange
(SoX) 14.4.2. A Crafted input will lead to a denial of service attack
during conversion of an audio file.
CVE-2017-15642: https://nvd.nist.gov/vuln/detail/CVE-2017-15642
In lsx_aiffstartread in aiff.c in Sound eXchange (SoX) 14.4.2, there
is a Use-After-Free vulnerability triggered by supplying a malformed
AIFF file.
CVE-2017-18189: https://nvd.nist.gov/vuln/detail/CVE-2017-18189
In the startread function in xa.c in Sound eXchange (SoX) through
14.4.2, a corrupt header specifying zero channels triggers an infinite
loop with a resultant NULL pointer dereference, which may allow a
remote attacker to cause a denial-of-service.
CVE-2019-1010004: https://nvd.nist.gov/vuln/detail/CVE-2019-1010004
SoX - Sound eXchange 14.4.2 and earlier is affected by: Out-of-bounds
Read. The impact is: Denial of Service. The component is: read_samples
function at xa.c:219. The attack vector is: Victim must open specially
crafted .xa file. NOTE: this may overlap CVE-2017-18189.
CVE-2019-8354: https://nvd.nist.gov/vuln/detail/CVE-2019-8354
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c
has an integer overflow on the result of multiplication fed into
malloc. When the buffer is allocated, it is smaller than expected,
leading to a heap-based buffer overflow.
CVE-2019-8355: https://nvd.nist.gov/vuln/detail/CVE-2019-8355
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an
integer overflow on the result of multiplication fed into the
lsx_valloc macro that wraps malloc. When the buffer is allocated, it
is smaller than expected, leading to a heap-based buffer overflow in
channels_start in remix.c.
CVE-2019-8356: https://nvd.nist.gov/vuln/detail/CVE-2019-8356
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2
in fft4g.c is not guarded, such that it can lead to write access
outside of the statically declared array, aka a stack-based buffer
overflow.
CVE-2019-8357: https://nvd.nist.gov/vuln/detail/CVE-2019-8357
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c
allows a NULL pointer dereference.
CVE-2019-13590: https://nvd.nist.gov/vuln/detail/CVE-2019-13590
An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h
(startread function), there is an integer overflow on the result of
integer addition (wraparound to 0) fed into the lsx_calloc macro that
wraps malloc. When a NULL pointer is returned, it is used without a
prior check that it is a valid pointer, leading to a NULL pointer
dereference on lsx_readbuf in formats_i.c.