Bug#932082: sox: CVE-2019-13590
Hi, On Sun, Jul 14, 2019 at 10:16:46PM +0200, Salvatore Bonaccorso wrote: > Source: sox > Version: 14.4.2+git20190427-1 > Severity: important > Tags: security upstream > Forwarded: https://sourceforge.net/p/sox/bugs/325/ > > Hi, > > The following vulnerability was published for sox. > > CVE-2019-13590[0]: > | An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h > | (startread function), there is an integer overflow on the result of > | integer addition (wraparound to 0) fed into the lsx_calloc macro that > | wraps malloc. When a NULL pointer is returned, it is used without a > | prior check that it is a valid pointer, leading to a NULL pointer > | dereference on lsx_readbuf in formats_i.c. This has been fixed upstream with https://sourceforge.net/p/sox/code/ci/7b6a889217d62ed7e28188621403cc7542fd1f7e/ . Regards, Salvatore
Bug#932082: sox: CVE-2019-13590
Source: sox Version: 14.4.2+git20190427-1 Severity: important Tags: security upstream Forwarded: https://sourceforge.net/p/sox/bugs/325/ Hi, The following vulnerability was published for sox. CVE-2019-13590[0]: | An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h | (startread function), there is an integer overflow on the result of | integer addition (wraparound to 0) fed into the lsx_calloc macro that | wraps malloc. When a NULL pointer is returned, it is used without a | prior check that it is a valid pointer, leading to a NULL pointer | dereference on lsx_readbuf in formats_i.c. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-13590 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13590 [1] https://sourceforge.net/p/sox/bugs/325/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore