| Summary: | <media-sound/sox-14.4.2: input sanitization errors | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | sound |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2014/12/22/9 | ||
| Whiteboard: | B2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
@ Maintainer(s): Please cleanup and drop =media-sound/sox-14.4.1 Please clean... (In reply to Aaron Bauman from comment #2) > Please clean... Done. This issue was resolved and addressed in GLSA 201612-30 at https://security.gentoo.org/glsa/201612-30 by GLSA coordinator Kristian Fiskerstrand (K_F). |
From ${URL} : #2014-010 SoX input sanitization errors Description: The SoX project is an open source tool for sound processing. The sox command line tool is affected by two heap-based buffer overflows, respectively located in functions start_read() and AdpcmReadBlock(). A specially crafted wav file can be used to trigger the vulnerabilities. Affected version: SoX <= 14.4.1 Fixed version: SoX > 14.4.1 Credit: vulnerability report received from the Google Security Team. CVE: CVE-2014-8145 Timeline: 2014-11-20: vulnerability report received 2014-12-02: contacted maintainer 2014-12-13: patch provided by maintainer 2014-12-14: reporter confirms patch 2014-12-15: contacted affected vendors 2014-12-18: assigned CVE 2014-12-22: advisory release @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.