Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 687766 (CVE-2018-13440, CVE-2018-17095) - media-libs/audiofile: multiple vulnerabilities (CVE-2018-{13440,17095})
Summary: media-libs/audiofile: multiple vulnerabilities (CVE-2018-{13440,17095})
Alias: CVE-2018-13440, CVE-2018-17095
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [upstream+/ebuild cve]
Depends on:
Reported: 2019-06-10 03:44 UTC by D'juan McDonald (domhnall)
Modified: 2020-06-11 02:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-06-10 03:44:32 UTC

An issue has been discovered in mpruett Audio File Library (aka audiofile) 0.3.6. A heap-based buffer overflow in Expand3To4Module::run has occurred when running sfconvert.

Upstream Reference:


The audiofile Audio File Library 0.3.6 has a NULL pointer dereference bug in ModuleState::setup in modules/ModuleState.cpp, which allows an attacker to cause a denial of service via a crafted caf file, as demonstrated by sfconvert.

Upstream Reference:

@security, On Thu, 06 Jun 2019 Debian announces	Fix for issues [CVE-2018-13440] and [CVE-2018-17095]. However, upstream's last changelog was 3 years ago, and non-descriptive of fix. 

"2016-08-29  Michael Pruett <>

* libaudiofile/modules/SimpleModule.h:
Fix undefined behavior in sign conversion."

On March 26, 2019 there was saying: 
"Can you please roll a new release with all these security fixes?"

Gentoo last interest in security for this package was: 2017-06-17 in bug #614046. 

Gentoo Security Padawan
Comment 1 Agostino Sarubbo gentoo-dev 2019-06-10 10:28:43 UTC
CVE-2018-17095 seems a duplicate of CVE-2017-6836
Comment 2 Sam James gentoo-dev Security 2020-03-30 15:13:45 UTC
@maintainer(s), please include the useful patches available at:

This will be most of them provided they're not already applied, including but not limited to the relevant CVE patches (tagged as such).