An update for audiofile is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1040 Final 1.0 1.0 2021-03-05 Initial 2021-03-05 2021-03-05 openEuler SA Tool V1.0 2021-03-05 audiofile security update An update for audiofile is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1. The Audio File Library is a C-based library for reading and writing audio files in many common formats. The Audio File Library provides a uniform API which abstracts away details of file formats and data formats. The same calls for opening a file, accessing and manipulating audio metadata (e.g. sample rate, sample format, textual information, MIDI parameters), and reading and writing sample data will work with any supported audio file format. Security Fix(es): Heap-based buffer overflow in the readValue function in FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have unspecified impact via a crafted WAV file.(CVE-2017-6828) Integer overflow in modules/MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6839) Integer overflow in sfcommands/sfconvert.c in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6838) Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6831) The decodeSample function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6829) An update for audiofile is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High audiofile https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1040 https://openeuler.org/en/security/cve/detail.html?id=CVE-2017-6828 https://openeuler.org/en/security/cve/detail.html?id=CVE-2017-6839 https://openeuler.org/en/security/cve/detail.html?id=CVE-2017-6838 https://openeuler.org/en/security/cve/detail.html?id=CVE-2017-6831 https://openeuler.org/en/security/cve/detail.html?id=CVE-2017-6829 https://nvd.nist.gov/vuln/detail/CVE-2017-6828 https://nvd.nist.gov/vuln/detail/CVE-2017-6839 https://nvd.nist.gov/vuln/detail/CVE-2017-6838 https://nvd.nist.gov/vuln/detail/CVE-2017-6831 https://nvd.nist.gov/vuln/detail/CVE-2017-6829 openEuler-20.03-LTS openEuler-20.03-LTS-SP1 audiofile-debuginfo-0.3.6-25.oe1.aarch64.rpm audiofile-devel-0.3.6-25.oe1.aarch64.rpm audiofile-0.3.6-25.oe1.aarch64.rpm audiofile-debugsource-0.3.6-25.oe1.aarch64.rpm audiofile-debuginfo-0.3.6-25.oe1.aarch64.rpm audiofile-devel-0.3.6-25.oe1.aarch64.rpm audiofile-0.3.6-25.oe1.aarch64.rpm audiofile-debugsource-0.3.6-25.oe1.aarch64.rpm audiofile-help-0.3.6-25.oe1.noarch.rpm audiofile-help-0.3.6-25.oe1.noarch.rpm audiofile-0.3.6-25.oe1.src.rpm audiofile-0.3.6-25.oe1.src.rpm audiofile-debuginfo-0.3.6-25.oe1.x86_64.rpm audiofile-0.3.6-25.oe1.x86_64.rpm audiofile-debugsource-0.3.6-25.oe1.x86_64.rpm audiofile-devel-0.3.6-25.oe1.x86_64.rpm audiofile-debuginfo-0.3.6-25.oe1.x86_64.rpm audiofile-0.3.6-25.oe1.x86_64.rpm audiofile-debugsource-0.3.6-25.oe1.x86_64.rpm audiofile-devel-0.3.6-25.oe1.x86_64.rpm Heap-based buffer overflow in the readValue function in FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have unspecified impact via a crafted WAV file. 2021-03-05 CVE-2017-6828 openEuler-20.03-LTS openEuler-20.03-LTS-SP1 High 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H audiofile security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1040 Integer overflow in modules/MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. 2021-03-05 CVE-2017-6839 openEuler-20.03-LTS openEuler-20.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H audiofile security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1040 Integer overflow in sfcommands/sfconvert.c in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. 2021-03-05 CVE-2017-6838 openEuler-20.03-LTS openEuler-20.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H audiofile security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1040 Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 0.3.4, 0.3.3, 0.3.2, 0.3.1, 0.3.0 and 0.2.7 allows remote attackers to cause a denial of service (crash) via a crafted file. 2021-03-05 CVE-2017-6831 openEuler-20.03-LTS openEuler-20.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H audiofile security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1040 The decodeSample function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. 2021-03-05 CVE-2017-6829 openEuler-20.03-LTS openEuler-20.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H audiofile security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1040