libsox3-14.4.2-5.17 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11394-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libsox3-14.4.2-5.17 on GA media These are all security issues fixed in the libsox3-14.4.2-5.17 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11394 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-11332/ SUSE CVE CVE-2017-11332 page https://www.suse.com/security/cve/CVE-2017-11358/ SUSE CVE CVE-2017-11358 page https://www.suse.com/security/cve/CVE-2017-11359/ SUSE CVE CVE-2017-11359 page https://www.suse.com/security/cve/CVE-2017-15370/ SUSE CVE CVE-2017-15370 page https://www.suse.com/security/cve/CVE-2017-15371/ SUSE CVE CVE-2017-15371 page https://www.suse.com/security/cve/CVE-2017-15372/ SUSE CVE CVE-2017-15372 page https://www.suse.com/security/cve/CVE-2017-15642/ SUSE CVE CVE-2017-15642 page https://www.suse.com/security/cve/CVE-2017-18189/ SUSE CVE CVE-2017-18189 page openSUSE Tumbleweed libsox3-14.4.2-5.17 sox-14.4.2-5.17 sox-devel-14.4.2-5.17 libsox3-14.4.2-5.17 as a component of openSUSE Tumbleweed sox-14.4.2-5.17 as a component of openSUSE Tumbleweed sox-devel-14.4.2-5.17 as a component of openSUSE Tumbleweed The startread function in wav.c in Sound eXchange (SoX) 14.4.2 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted wav file. CVE-2017-11332 openSUSE Tumbleweed:libsox3-14.4.2-5.17 openSUSE Tumbleweed:sox-14.4.2-5.17 openSUSE Tumbleweed:sox-devel-14.4.2-5.17 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-11332.html CVE-2017-11332 https://bugzilla.suse.com/1081140 SUSE Bug 1081140 The read_samples function in hcom.c in Sound eXchange (SoX) 14.4.2 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted hcom file. CVE-2017-11358 openSUSE Tumbleweed:libsox3-14.4.2-5.17 openSUSE Tumbleweed:sox-14.4.2-5.17 openSUSE Tumbleweed:sox-devel-14.4.2-5.17 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-11358.html CVE-2017-11358 https://bugzilla.suse.com/1081141 SUSE Bug 1081141 The wavwritehdr function in wav.c in Sound eXchange (SoX) 14.4.2 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted snd file, during conversion to a wav file. CVE-2017-11359 openSUSE Tumbleweed:libsox3-14.4.2-5.17 openSUSE Tumbleweed:sox-14.4.2-5.17 openSUSE Tumbleweed:sox-devel-14.4.2-5.17 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-11359.html CVE-2017-11359 https://bugzilla.suse.com/1081142 SUSE Bug 1081142 There is a heap-based buffer overflow in the ImaExpandS function of ima_rw.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a denial of service attack during conversion of an audio file. CVE-2017-15370 openSUSE Tumbleweed:libsox3-14.4.2-5.17 openSUSE Tumbleweed:sox-14.4.2-5.17 openSUSE Tumbleweed:sox-devel-14.4.2-5.17 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-15370.html CVE-2017-15370 https://bugzilla.suse.com/1063439 SUSE Bug 1063439 There is a reachable assertion abort in the function sox_append_comment() in formats.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a denial of service attack during conversion of an audio file. CVE-2017-15371 openSUSE Tumbleweed:libsox3-14.4.2-5.17 openSUSE Tumbleweed:sox-14.4.2-5.17 openSUSE Tumbleweed:sox-devel-14.4.2-5.17 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-15371.html CVE-2017-15371 https://bugzilla.suse.com/1063450 SUSE Bug 1063450 There is a stack-based buffer overflow in the lsx_ms_adpcm_block_expand_i function of adpcm.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a denial of service attack during conversion of an audio file. CVE-2017-15372 openSUSE Tumbleweed:libsox3-14.4.2-5.17 openSUSE Tumbleweed:sox-14.4.2-5.17 openSUSE Tumbleweed:sox-devel-14.4.2-5.17 low 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-15372.html CVE-2017-15372 https://bugzilla.suse.com/1063456 SUSE Bug 1063456 In lsx_aiffstartread in aiff.c in Sound eXchange (SoX) 14.4.2, there is a Use-After-Free vulnerability triggered by supplying a malformed AIFF file. CVE-2017-15642 openSUSE Tumbleweed:libsox3-14.4.2-5.17 openSUSE Tumbleweed:sox-14.4.2-5.17 openSUSE Tumbleweed:sox-devel-14.4.2-5.17 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-15642.html CVE-2017-15642 https://bugzilla.suse.com/1064576 SUSE Bug 1064576 In the startread function in xa.c in Sound eXchange (SoX) through 14.4.2, a corrupt header specifying zero channels triggers an infinite loop with a resultant NULL pointer dereference, which may allow a remote attacker to cause a denial-of-service. CVE-2017-18189 openSUSE Tumbleweed:libsox3-14.4.2-5.17 openSUSE Tumbleweed:sox-14.4.2-5.17 openSUSE Tumbleweed:sox-devel-14.4.2-5.17 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-18189.html CVE-2017-18189 https://bugzilla.suse.com/1081146 SUSE Bug 1081146 https://bugzilla.suse.com/1141667 SUSE Bug 1141667