Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 687766 (CVE-2018-13440, CVE-2018-17095) - <media-libs/audiofile-0.3.6-r4: multiple vulnerabilities (CVE-2018-{13440,17095})
Summary: <media-libs/audiofile-0.3.6-r4: multiple vulnerabilities (CVE-2018-{13440,170...
Alias: CVE-2018-13440, CVE-2018-17095
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on: CVE-2017-6827, CVE-2017-6828, CVE-2017-6829, CVE-2017-6830, CVE-2017-6831, CVE-2017-6832, CVE-2017-6833, CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, CVE-2017-6837, CVE-2017-6838, CVE-2017-6839
  Show dependency tree
Reported: 2019-06-10 03:44 UTC by D'juan McDonald (domhnall)
Modified: 2020-07-29 00:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
nattka: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-06-10 03:44:32 UTC

An issue has been discovered in mpruett Audio File Library (aka audiofile) 0.3.6. A heap-based buffer overflow in Expand3To4Module::run has occurred when running sfconvert.

Upstream Reference:


The audiofile Audio File Library 0.3.6 has a NULL pointer dereference bug in ModuleState::setup in modules/ModuleState.cpp, which allows an attacker to cause a denial of service via a crafted caf file, as demonstrated by sfconvert.

Upstream Reference:

@security, On Thu, 06 Jun 2019 Debian announces	Fix for issues [CVE-2018-13440] and [CVE-2018-17095]. However, upstream's last changelog was 3 years ago, and non-descriptive of fix. 

"2016-08-29  Michael Pruett <>

* libaudiofile/modules/SimpleModule.h:
Fix undefined behavior in sign conversion."

On March 26, 2019 there was saying: 
"Can you please roll a new release with all these security fixes?"

Gentoo last interest in security for this package was: 2017-06-17 in bug #614046. 

Gentoo Security Padawan
Comment 1 Agostino Sarubbo gentoo-dev 2019-06-10 10:28:43 UTC
CVE-2018-17095 seems a duplicate of CVE-2017-6836
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-30 15:13:45 UTC
@maintainer(s), please include the useful patches available at:

This will be most of them provided they're not already applied, including but not limited to the relevant CVE patches (tagged as such).
Comment 3 Larry the Git Cow gentoo-dev 2020-07-19 18:28:49 UTC
The bug has been referenced in the following commit(s):

commit f2bb2dc35eccffb4adbcc7f4057b6e2ea458d1b8
Author:     John Helmert III <>
AuthorDate: 2020-07-19 18:28:17 +0000
Commit:     Sam James <>
CommitDate: 2020-07-19 18:28:17 +0000

    media-libs/audiofile: Add security patches
    Dropping the system-gtest patch is necessary to make the tests run, as
    mentioned here:
    The three closed bugs are reported test failures fixed by dropping the
    aforementioned patch and a slight repair of src_test. Because we're not
    using system gtest anymore, we can drop the test dependency on
    dev-cpp/gtest, and by extension the IUSE=test boilerplate.
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: John Helmert III <>
    Signed-off-by: Sam James <>

 media-libs/audiofile/audiofile-0.3.6-r4.ebuild     |  55 +++
 .../files/audiofile-0.3.6-CVE-2017-68xx.patch      | 379 +++++++++++++++++++++
 ...ofile-0.3.6-CVE-2018-13440-CVE-2018-17095.patch |  82 +++++
 3 files changed, 516 insertions(+)
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2020-07-27 20:15:04 UTC
HPPA was missed.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2020-07-27 20:16:30 UTC
depends on bug has it... whoops.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2020-07-28 20:10:39 UTC
GLSA Vote: no
Comment 7 Rolf Eike Beer archtester 2020-07-28 21:53:54 UTC
dropped to ~hppa
Comment 8 Larry the Git Cow gentoo-dev 2020-07-29 00:20:06 UTC
The bug has been referenced in the following commit(s):

commit 99c6a8c3924a9938c21a05f0498046c3e73c50c8
Author:     Sam James <>
AuthorDate: 2020-07-29 00:19:22 +0000
Commit:     Sam James <>
CommitDate: 2020-07-29 00:19:37 +0000

    media-libs/audiofile: security cleanup
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <>

 media-libs/audiofile/audiofile-0.3.6-r3.ebuild | 50 --------------------------
 1 file changed, 50 deletions(-)