libsndfile-devel-1.0.31-2.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10992 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libsndfile-devel-1.0.31-2.2 on GA media These are all security issues fixed in the libsndfile-devel-1.0.31-2.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10992 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10992 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2007-4974/ SUSE CVE CVE-2007-4974 page https://www.suse.com/security/cve/CVE-2017-12562/ SUSE CVE CVE-2017-12562 page https://www.suse.com/security/cve/CVE-2017-14245/ SUSE CVE CVE-2017-14245 page https://www.suse.com/security/cve/CVE-2017-14246/ SUSE CVE CVE-2017-14246 page https://www.suse.com/security/cve/CVE-2017-14634/ SUSE CVE CVE-2017-14634 page https://www.suse.com/security/cve/CVE-2017-17456/ SUSE CVE CVE-2017-17456 page https://www.suse.com/security/cve/CVE-2017-17457/ SUSE CVE CVE-2017-17457 page https://www.suse.com/security/cve/CVE-2017-6892/ SUSE CVE CVE-2017-6892 page https://www.suse.com/security/cve/CVE-2017-7585/ SUSE CVE CVE-2017-7585 page https://www.suse.com/security/cve/CVE-2017-8361/ SUSE CVE CVE-2017-8361 page https://www.suse.com/security/cve/CVE-2017-8365/ SUSE CVE CVE-2017-8365 page https://www.suse.com/security/cve/CVE-2018-13139/ SUSE CVE CVE-2018-13139 page https://www.suse.com/security/cve/CVE-2018-19432/ SUSE CVE CVE-2018-19432 page https://www.suse.com/security/cve/CVE-2018-19758/ SUSE CVE CVE-2018-19758 page https://www.suse.com/security/cve/CVE-2021-3246/ SUSE CVE CVE-2021-3246 page openSUSE Tumbleweed libsndfile-devel-1.0.31-2.2 libsndfile1-1.0.31-2.2 libsndfile1-32bit-1.0.31-2.2 libsndfile-devel-1.0.31-2.2 as a component of openSUSE Tumbleweed libsndfile1-1.0.31-2.2 as a component of openSUSE Tumbleweed libsndfile1-32bit-1.0.31-2.2 as a component of openSUSE Tumbleweed Heap-based buffer overflow in the flac_buffer_copy function in libsndfile 1.0.17 and earlier might allow remote attackers to execute arbitrary code via a FLAC file with crafted PCM data containing a block with a size that exceeds the previous block size. CVE-2007-4974 openSUSE Tumbleweed:libsndfile-devel-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-32bit-1.0.31-2.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-4974.html CVE-2007-4974 https://bugzilla.suse.com/326070 SUSE Bug 326070 Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. CVE-2017-12562 openSUSE Tumbleweed:libsndfile-devel-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-32bit-1.0.31-2.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-12562.html CVE-2017-12562 https://bugzilla.suse.com/1052476 SUSE Bug 1052476 An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values. CVE-2017-14245 openSUSE Tumbleweed:libsndfile-devel-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-32bit-1.0.31-2.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-14245.html CVE-2017-14245 https://bugzilla.suse.com/1059912 SUSE Bug 1059912 https://bugzilla.suse.com/1071777 SUSE Bug 1071777 An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values. CVE-2017-14246 openSUSE Tumbleweed:libsndfile-devel-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-32bit-1.0.31-2.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-14246.html CVE-2017-14246 https://bugzilla.suse.com/1059913 SUSE Bug 1059913 https://bugzilla.suse.com/1071767 SUSE Bug 1071767 In libsndfile 1.0.28, a divide-by-zero error exists in the function double64_init() in double64.c, which may lead to DoS when playing a crafted audio file. CVE-2017-14634 openSUSE Tumbleweed:libsndfile-devel-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-32bit-1.0.31-2.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-14634.html CVE-2017-14634 https://bugzilla.suse.com/1059911 SUSE Bug 1059911 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-14245. Reason: This candidate is a duplicate of CVE-2017-14245. Notes: All CVE users should reference CVE-2017-14245 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2017-17456 openSUSE Tumbleweed:libsndfile-devel-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-32bit-1.0.31-2.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-17456.html CVE-2017-17456 https://bugzilla.suse.com/1059912 SUSE Bug 1059912 https://bugzilla.suse.com/1071777 SUSE Bug 1071777 https://bugzilla.suse.com/1117906 SUSE Bug 1117906 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-14246. Reason: This candidate is a duplicate of CVE-2017-14246. Notes: All CVE users should reference CVE-2017-14246 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2017-17457 openSUSE Tumbleweed:libsndfile-devel-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-32bit-1.0.31-2.2 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-17457.html CVE-2017-17457 https://bugzilla.suse.com/1059913 SUSE Bug 1059913 https://bugzilla.suse.com/1071767 SUSE Bug 1071767 https://bugzilla.suse.com/1117906 SUSE Bug 1117906 In libsndfile version 1.0.28, an error in the "aiff_read_chanmap()" function (aiff.c) can be exploited to cause an out-of-bounds read memory access via a specially crafted AIFF file. CVE-2017-6892 openSUSE Tumbleweed:libsndfile-devel-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-32bit-1.0.31-2.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-6892.html CVE-2017-6892 https://bugzilla.suse.com/1043978 SUSE Bug 1043978 In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file. CVE-2017-7585 openSUSE Tumbleweed:libsndfile-devel-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-32bit-1.0.31-2.2 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7585.html CVE-2017-7585 https://bugzilla.suse.com/1033054 SUSE Bug 1033054 https://bugzilla.suse.com/1033914 SUSE Bug 1033914 https://bugzilla.suse.com/1033915 SUSE Bug 1033915 The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file. CVE-2017-8361 openSUSE Tumbleweed:libsndfile-devel-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-32bit-1.0.31-2.2 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-8361.html CVE-2017-8361 https://bugzilla.suse.com/1036944 SUSE Bug 1036944 The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file. CVE-2017-8365 openSUSE Tumbleweed:libsndfile-devel-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-32bit-1.0.31-2.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-8365.html CVE-2017-8365 https://bugzilla.suse.com/1036946 SUSE Bug 1036946 A stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file. The vulnerability can be triggered by the executable sndfile-deinterleave. CVE-2018-13139 openSUSE Tumbleweed:libsndfile-devel-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-32bit-1.0.31-2.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-13139.html CVE-2018-13139 https://bugzilla.suse.com/1100167 SUSE Bug 1100167 https://bugzilla.suse.com/1116993 SUSE Bug 1116993 https://bugzilla.suse.com/1211493 SUSE Bug 1211493 An issue was discovered in libsndfile 1.0.28. There is a NULL pointer dereference in the function sf_write_int in sndfile.c, which will lead to a denial of service. CVE-2018-19432 openSUSE Tumbleweed:libsndfile-devel-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-32bit-1.0.31-2.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19432.html CVE-2018-19432 https://bugzilla.suse.com/1116993 SUSE Bug 1116993 There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. CVE-2018-19758 openSUSE Tumbleweed:libsndfile-devel-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-32bit-1.0.31-2.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19758.html CVE-2018-19758 https://bugzilla.suse.com/1117954 SUSE Bug 1117954 https://bugzilla.suse.com/1125575 SUSE Bug 1125575 A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file. CVE-2021-3246 openSUSE Tumbleweed:libsndfile-devel-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-1.0.31-2.2 openSUSE Tumbleweed:libsndfile1-32bit-1.0.31-2.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3246.html CVE-2021-3246 https://bugzilla.suse.com/1188540 SUSE Bug 1188540