libsox3-14.4.2-8.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13359 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libsox3-14.4.2-8.1 on GA media These are all security issues fixed in the libsox3-14.4.2-8.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13359 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13359 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2019-13590/ SUSE CVE CVE-2019-13590 page https://www.suse.com/security/cve/CVE-2021-23159/ SUSE CVE CVE-2021-23159 page https://www.suse.com/security/cve/CVE-2021-33844/ SUSE CVE CVE-2021-33844 page https://www.suse.com/security/cve/CVE-2021-3643/ SUSE CVE CVE-2021-3643 page https://www.suse.com/security/cve/CVE-2021-40426/ SUSE CVE CVE-2021-40426 page https://www.suse.com/security/cve/CVE-2022-31650/ SUSE CVE CVE-2022-31650 page https://www.suse.com/security/cve/CVE-2022-31651/ SUSE CVE CVE-2022-31651 page https://www.suse.com/security/cve/CVE-2023-32627/ SUSE CVE CVE-2023-32627 page https://www.suse.com/security/cve/CVE-2023-34318/ SUSE CVE CVE-2023-34318 page openSUSE Tumbleweed libsox3-14.4.2-8.1 sox-14.4.2-8.1 sox-devel-14.4.2-8.1 libsox3-14.4.2-8.1 as a component of openSUSE Tumbleweed sox-14.4.2-8.1 as a component of openSUSE Tumbleweed sox-devel-14.4.2-8.1 as a component of openSUSE Tumbleweed An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h (startread function), there is an integer overflow on the result of integer addition (wraparound to 0) fed into the lsx_calloc macro that wraps malloc. When a NULL pointer is returned, it is used without a prior check that it is a valid pointer, leading to a NULL pointer dereference on lsx_readbuf in formats_i.c. CVE-2019-13590 openSUSE Tumbleweed:libsox3-14.4.2-8.1 openSUSE Tumbleweed:sox-14.4.2-8.1 openSUSE Tumbleweed:sox-devel-14.4.2-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-13590.html CVE-2019-13590 https://bugzilla.suse.com/1141671 SUSE Bug 1141671 A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function lsx_read_w_buf() in formats_i.c file. The vulnerability is exploitable with a crafted file, that could cause an application to crash. CVE-2021-23159 openSUSE Tumbleweed:libsox3-14.4.2-8.1 openSUSE Tumbleweed:sox-14.4.2-8.1 openSUSE Tumbleweed:sox-devel-14.4.2-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23159.html CVE-2021-23159 https://bugzilla.suse.com/1207046 SUSE Bug 1207046 A floating point exception (divide-by-zero) issue was discovered in SoX in functon startread() of wav.c file. An attacker with a crafted wav file, could cause an application to crash. CVE-2021-33844 openSUSE Tumbleweed:libsox3-14.4.2-8.1 openSUSE Tumbleweed:sox-14.4.2-8.1 openSUSE Tumbleweed:sox-devel-14.4.2-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-33844.html CVE-2021-33844 https://bugzilla.suse.com/1207043 SUSE Bug 1207043 A flaw was found in sox 14.4.1. The lsx_adpcm_init function within libsox leads to a global-buffer-overflow. This flaw allows an attacker to input a malicious file, leading to the disclosure of sensitive information. CVE-2021-3643 openSUSE Tumbleweed:libsox3-14.4.2-8.1 openSUSE Tumbleweed:sox-14.4.2-8.1 openSUSE Tumbleweed:sox-devel-14.4.2-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3643.html CVE-2021-3643 https://bugzilla.suse.com/1207920 SUSE Bug 1207920 A heap-based buffer overflow vulnerability exists in the sphere.c start_read() functionality of Sound Exchange libsox 14.4.2 and master commit 42b3557e. A specially-crafted file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. CVE-2021-40426 openSUSE Tumbleweed:libsox3-14.4.2-8.1 openSUSE Tumbleweed:sox-14.4.2-8.1 openSUSE Tumbleweed:sox-devel-14.4.2-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-40426.html CVE-2021-40426 https://bugzilla.suse.com/1200056 SUSE Bug 1200056 In SoX 14.4.2, there is a floating-point exception in lsx_aiffstartwrite in aiff.c in libsox.a. CVE-2022-31650 openSUSE Tumbleweed:libsox3-14.4.2-8.1 openSUSE Tumbleweed:sox-14.4.2-8.1 openSUSE Tumbleweed:sox-devel-14.4.2-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-31650.html CVE-2022-31650 https://bugzilla.suse.com/1199946 SUSE Bug 1199946 In SoX 14.4.2, there is an assertion failure in rate_init in rate.c in libsox.a. CVE-2022-31651 openSUSE Tumbleweed:libsox3-14.4.2-8.1 openSUSE Tumbleweed:sox-14.4.2-8.1 openSUSE Tumbleweed:sox-devel-14.4.2-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-31651.html CVE-2022-31651 https://bugzilla.suse.com/1199947 SUSE Bug 1199947 A floating point exception vulnerability was found in sox, in the read_samples function at sox/src/voc.c:334:18. This flaw can lead to a denial of service. CVE-2023-32627 openSUSE Tumbleweed:libsox3-14.4.2-8.1 openSUSE Tumbleweed:sox-14.4.2-8.1 openSUSE Tumbleweed:sox-devel-14.4.2-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-32627.html CVE-2023-32627 https://bugzilla.suse.com/1212061 SUSE Bug 1212061 A heap buffer overflow vulnerability was found in sox, in the startread function at sox/src/hcom.c:160:41. This flaw can lead to a denial of service, code execution, or information disclosure. CVE-2023-34318 openSUSE Tumbleweed:libsox3-14.4.2-8.1 openSUSE Tumbleweed:sox-14.4.2-8.1 openSUSE Tumbleweed:sox-devel-14.4.2-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-34318.html CVE-2023-34318 https://bugzilla.suse.com/1212062 SUSE Bug 1212062