Bug#932082: sox: CVE-2019-13590

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#932082: sox: CVE-2019-13590
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 14 Jul 2019 22:16:46 +0200
Message-id: <[🔎] 156313540623.27098.8286424452475699156.reportbug@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 932082@bugs.debian.org

Source: sox
Version: 14.4.2+git20190427-1
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/sox/bugs/325/

Hi,

The following vulnerability was published for sox.

CVE-2019-13590[0]:
| An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h
| (startread function), there is an integer overflow on the result of
| integer addition (wraparound to 0) fed into the lsx_calloc macro that
| wraps malloc. When a NULL pointer is returned, it is used without a
| prior check that it is a valid pointer, leading to a NULL pointer
| dereference on lsx_readbuf in formats_i.c.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-13590
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13590
[1] https://sourceforge.net/p/sox/bugs/325/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Prev by Date: wavpack_5.1.0-7_source.changes ACCEPTED into unstable
Next by Date: Bug#932107: cmus: update cmus to 2.8.0
Previous by thread: wavpack_5.1.0-7_source.changes ACCEPTED into unstable
Next by thread: Bug#932107: cmus: update cmus to 2.8.0
Index(es):
- Date
- Thread