{"affected":[{"ecosystem_specific":{"binaries":[{"libsox3":"14.4.2-5.1","sox":"14.4.2-5.1","sox-devel":"14.4.2-5.1"}]},"package":{"ecosystem":"SUSE:Package Hub 12 SP3","name":"sox","purl":"pkg:rpm/suse/sox&distro=SUSE%20Package%20Hub%2012%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"14.4.2-5.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for sox fixes the following issues:\n\n* CVE-2017-11332: Fixed the startread function in wav.c, which allowed\n  remote attackers to cause a DoS (divide-by-zero) via a crafted wav file.\n  (boo#1081140)\n* CVE-2017-11358: Fixed the read_samples function in hcom.c, which\n  allowed remote attackers to cause a DoS (invalid memory read) via a crafted\n  hcom file. (boo#1081141)\n* CVE-2017-11359: Fixed the wavwritehdr function in wav.c, which\n  allowed remote attackers to cause a DoS (divide-by-zero) when converting a\n  a crafted snd file to a wav file. (boo#1081142)\n* CVE-2017-15370: Fixed a heap-based buffer overflow in the ImaExpandS\n  function of ima_rw.c, which allowed remote attackers to cause a DoS during\n  conversion of a crafted audio file. (boo#1063439)\n* CVE-2017-15371: Fixed an assertion abort in the function\n  sox_append_comment() in formats.c, which allowed remote attackers to cause\n  a DoS during conversion of a crafted audio file. (boo#1063450)\n* CVE-2017-15372: Fixed a stack-based buffer overflow in the\n  lsx_ms_adpcm_block_expand_i function of adpcm.c, which allowed remote\n  attackers to cause a DoS during conversion of a crafted audio file.\n  (boo#1063456)\n* CVE-2017-15642: Fixed an Use-After-Free vulnerability in\n  lsx_aiffstartread in aiff.c, which could be triggered by an attacker by\n  providing a malformed AIFF file. (boo#1064576)\n* CVE-2017-18189: Fixed a NULL pointer dereference triggered by a\n  corrupt header specifying zero channels in the startread function in\n  xa.c, which allowed remote attackers to cause a DoS (boo#1081146).\n\n","id":"openSUSE-SU-2018:0489-1","modified":"2018-02-20T12:28:13Z","published":"2018-02-20T12:28:13Z","references":[{"type":"ADVISORY","url":null},{"type":"REPORT","url":"https://bugzilla.suse.com/1063439"},{"type":"REPORT","url":"https://bugzilla.suse.com/1063450"},{"type":"REPORT","url":"https://bugzilla.suse.com/1063456"},{"type":"REPORT","url":"https://bugzilla.suse.com/1064576"},{"type":"REPORT","url":"https://bugzilla.suse.com/1081140"},{"type":"REPORT","url":"https://bugzilla.suse.com/1081141"},{"type":"REPORT","url":"https://bugzilla.suse.com/1081142"},{"type":"REPORT","url":"https://bugzilla.suse.com/1081146"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-11332"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-11358"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-11359"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-15370"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-15371"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-15372"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-15642"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-18189"}],"related":["CVE-2017-11332","CVE-2017-11358","CVE-2017-11359","CVE-2017-15370","CVE-2017-15371","CVE-2017-15372","CVE-2017-15642","CVE-2017-18189"],"summary":"Security update for sox","upstream":["CVE-2017-11332","CVE-2017-11358","CVE-2017-11359","CVE-2017-15370","CVE-2017-15371","CVE-2017-15372","CVE-2017-15642","CVE-2017-18189"]}