Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 671834 (CVE-2018-19432) - <media-libs/libsndfile-1.0.29_pre2_p20191024: out of bounds read in sf_write_int
Summary: <media-libs/libsndfile-1.0.29_pre2_p20191024: out of bounds read in sf_write_int
Status: RESOLVED FIXED
Alias: CVE-2018-19432
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/erikd/libsndfile/i...
Whiteboard: B3 [glsa+ blocked cve]
Keywords:
Depends on: CVE-2017-14245, CVE-2017-14246, CVE-2019-3832
Blocks:
  Show dependency tree
 
Reported: 2018-11-25 01:45 UTC by D'juan McDonald (domhnall)
Modified: 2020-07-31 20:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2018-11-25 01:45:49 UTC
An issue was discovered in libsndfile 1.0.28. There is an out of bounds read at function sf_write_int, will lead to a denial of service or the others.


@maintainer(s): reported as fixed by 
https://github.com/erikd/libsndfile/commit/6f3266277bed16525f0ac2f0f03ff4626f1923e5

Gentoo Security Padawan
(domhnall)
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2019-04-27 19:32:32 UTC
Potential Patches (as per RedHat Bug)
https://github.com/erikd/libsndfile/commit/6f3266277bed16525f0ac2f0f03ff4626f1923e5

But appears to need this one, too (fix for CVE-2018-13139):
https://github.com/erikd/libsndfile/commit/aaea680337267bfb6d2544da878890ee7f1c5077

Also Debian has this fixed: 1.0.25-9.1+deb8u2

Maintainer(s) please advise.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2020-07-31 19:59:52 UTC
This issue was resolved and addressed in
 GLSA 202007-65 at https://security.gentoo.org/glsa/202007-65
by GLSA coordinator Sam James (sam_c).