[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20141222140938.GB32428@core.inversepath.com>
Date: Mon, 22 Dec 2014 15:09:38 +0100
From: Andrea Barisani <lcars@...rt.org>
To: oss-security@...ts.openwall.com, ocert-announce@...ts.ocert.org,
bugtraq@...urityfocus.com
Subject: [oCERT-2014-010] SoX input sanitization errors
#2014-010 SoX input sanitization errors
Description:
The SoX project is an open source tool for sound processing.
The sox command line tool is affected by two heap-based buffer overflows,
respectively located in functions start_read() and AdpcmReadBlock().
A specially crafted wav file can be used to trigger the vulnerabilities.
Affected version:
SoX <= 14.4.1
Fixed version:
SoX > 14.4.1
Credit: vulnerability report received from the Google Security Team.
CVE: CVE-2014-8145
Timeline:
2014-11-20: vulnerability report received
2014-12-02: contacted maintainer
2014-12-13: patch provided by maintainer
2014-12-14: reporter confirms patch
2014-12-15: contacted affected vendors
2014-12-18: assigned CVE
2014-12-22: advisory release
References:
http://sox.sourceforge.net
Permalink:
http://www.ocert.org/advisories/ocert-2014-010.html
--
Andrea Barisani | Founder & Project Coordinator
oCERT | OSS Computer Security Incident Response Team
<lcars@...rt.org> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"
Powered by blists - more mailing lists