[ubuntu/xenial-updates] sox 14.4.1-5ubuntu0.1 (Accepted)

Ubuntu Archive Robot cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Thu Jan 31 22:28:09 UTC 2019


sox (14.4.1-5ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow
    - debian/patches/0001-Check-for-minimum-size-sphere-headers.patch: Avoid
      integer underflow by validating the header_size_ul for NIST sphere
      formatted media files.
    - debian/patches/0002-More-checks-for-invalid-MS-ADPCM-blocks.patch: Check
      the number of samples in a wav block against the expected samples per
      block.
    - CVE-2014-8145
  * SECURITY UPDATE: Division by zero
    - debian/patches/CVE-2017-11332.patch: wav: fix crash if channel count is
      zero
    - CVE-2017-11332
  * SECURITY UPDATE: Division by zero
    - debian/patches/CVE-2017-11358.patch: hcom: fix crash on input with
      corrupt dictionary
    - CVE-2017-11358
  * SECURITY UPDATE: Invalid memory read
    - debian/patches/CVE-2017-11359.patch: wav: fix crash writing header when
      channel count >64k
    - CVE-2017-11359
  * SECURITY UPDATE: Buffer overflow
    - debian/patches/CVE-2017-15370.patch: wav: ima_adpcm: fix buffer overflow
      on corrupt input
    - CVE-2017-15370
  * SECURITY UPDATE: Buffer overflow
    - debian/patches/CVE-2017-15371.patch: flac: fix crash on corrupt metadata
    - CVE-2017-15371
  * SECURITY UPDATE: Buffer overflow
    - debian/patches/CVE-2017-15372.patch: adpcm: fix stack overflow with >4
      channels
    - CVE-2017-15372
  * SECURITY UPDATE: Use after free
    - debian/patches/CVE-2017-15642.patch: adpcm: fix a user after free and
      double free if an empty comment chunk follows a non-empty one.
    - CVE-2017-15642
  * SECURITY UPDATE: NULL pointer dereference
    - debian/patches/CVE-2017-18189.patch: Prevent infinite loop caused by
        specifying zero channels in a header. Also add an upper bound to prevent
        overflow in multiplication
    - CVE-2017-18189

Date: 2019-01-31 20:38:25.119429+00:00
Changed-By: Mike Salvatore <mike.salvatore at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
https://launchpad.net/ubuntu/+source/sox/14.4.1-5ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.


More information about the Xenial-changes mailing list