An update for audiofile is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2021-1040
Final
1.0
1.0
2021-03-05
Initial
2021-03-05
2021-03-05
openEuler SA Tool V1.0
2021-03-05
audiofile security update
An update for audiofile is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1.
The Audio File Library is a C-based library for reading and writing audio files in many common formats. The Audio File Library provides a uniform API which abstracts away details of file formats and data formats. The same calls for opening a file, accessing and manipulating audio metadata (e.g. sample rate, sample format, textual information, MIDI parameters), and reading and writing sample data will work with any supported audio file format.
Security Fix(es):
Heap-based buffer overflow in the readValue function in FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have unspecified impact via a crafted WAV file.(CVE-2017-6828)
Integer overflow in modules/MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6839)
Integer overflow in sfcommands/sfconvert.c in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6838)
Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6831)
The decodeSample function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6829)
An update for audiofile is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
audiofile
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1040
https://openeuler.org/en/security/cve/detail.html?id=CVE-2017-6828
https://openeuler.org/en/security/cve/detail.html?id=CVE-2017-6839
https://openeuler.org/en/security/cve/detail.html?id=CVE-2017-6838
https://openeuler.org/en/security/cve/detail.html?id=CVE-2017-6831
https://openeuler.org/en/security/cve/detail.html?id=CVE-2017-6829
https://nvd.nist.gov/vuln/detail/CVE-2017-6828
https://nvd.nist.gov/vuln/detail/CVE-2017-6839
https://nvd.nist.gov/vuln/detail/CVE-2017-6838
https://nvd.nist.gov/vuln/detail/CVE-2017-6831
https://nvd.nist.gov/vuln/detail/CVE-2017-6829
openEuler-20.03-LTS
openEuler-20.03-LTS-SP1
audiofile-debuginfo-0.3.6-25.oe1.aarch64.rpm
audiofile-devel-0.3.6-25.oe1.aarch64.rpm
audiofile-0.3.6-25.oe1.aarch64.rpm
audiofile-debugsource-0.3.6-25.oe1.aarch64.rpm
audiofile-debuginfo-0.3.6-25.oe1.aarch64.rpm
audiofile-devel-0.3.6-25.oe1.aarch64.rpm
audiofile-0.3.6-25.oe1.aarch64.rpm
audiofile-debugsource-0.3.6-25.oe1.aarch64.rpm
audiofile-help-0.3.6-25.oe1.noarch.rpm
audiofile-help-0.3.6-25.oe1.noarch.rpm
audiofile-0.3.6-25.oe1.src.rpm
audiofile-0.3.6-25.oe1.src.rpm
audiofile-debuginfo-0.3.6-25.oe1.x86_64.rpm
audiofile-0.3.6-25.oe1.x86_64.rpm
audiofile-debugsource-0.3.6-25.oe1.x86_64.rpm
audiofile-devel-0.3.6-25.oe1.x86_64.rpm
audiofile-debuginfo-0.3.6-25.oe1.x86_64.rpm
audiofile-0.3.6-25.oe1.x86_64.rpm
audiofile-debugsource-0.3.6-25.oe1.x86_64.rpm
audiofile-devel-0.3.6-25.oe1.x86_64.rpm
Heap-based buffer overflow in the readValue function in FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have unspecified impact via a crafted WAV file.
2021-03-05
CVE-2017-6828
openEuler-20.03-LTS
openEuler-20.03-LTS-SP1
High
7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
audiofile security update
2021-03-05
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1040
Integer overflow in modules/MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.
2021-03-05
CVE-2017-6839
openEuler-20.03-LTS
openEuler-20.03-LTS-SP1
Medium
5.5
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
audiofile security update
2021-03-05
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1040
Integer overflow in sfcommands/sfconvert.c in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.
2021-03-05
CVE-2017-6838
openEuler-20.03-LTS
openEuler-20.03-LTS-SP1
Medium
5.5
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
audiofile security update
2021-03-05
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1040
Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 0.3.4, 0.3.3, 0.3.2, 0.3.1, 0.3.0 and 0.2.7 allows remote attackers to cause a denial of service (crash) via a crafted file.
2021-03-05
CVE-2017-6831
openEuler-20.03-LTS
openEuler-20.03-LTS-SP1
Medium
5.5
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
audiofile security update
2021-03-05
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1040
The decodeSample function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.
2021-03-05
CVE-2017-6829
openEuler-20.03-LTS
openEuler-20.03-LTS-SP1
Medium
5.5
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
audiofile security update
2021-03-05
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1040