FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

libsndfile -- out-of-bounds reads

Affected packages
libsndfile < 1.0.28_2
linux-c6-libsndfile < 1.0.28_2
linux-c7-libsndfile < 1.0.28_2

Details

VuXML ID 30704aba-1da4-11e8-b6aa-4ccc6adda413
Discovery 2017-09-11
Entry 2018-03-01

Xin-Jiang on Github reports:

CVE-2017-14245 (Medium): An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values.

CVE-2017-14246 (Medium): An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values.

my123px on Github reports:

CVE-2017-17456 (Medium): The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may lead to a remote DoS attack (SEGV on unknown address 0x000000000000), a different vulnerability than CVE-2017-14245.

CVE-2017-17457 (Medium): The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead to a remote DoS attack (SEGV on unknown address 0x000000000000), a different vulnerability than CVE-2017-14246.

References

CVE Name CVE-2017-14245
CVE Name CVE-2017-14246
CVE Name CVE-2017-17456
CVE Name CVE-2017-17457
URL https://github.com/erikd/libsndfile/issues/317
URL https://github.com/erikd/libsndfile/issues/344