Your submission was sent successfully! Close

CVE-2018-13440

Published: 8 July 2018

The audiofile Audio File Library 0.3.6 has a NULL pointer dereference bug in ModuleState::setup in modules/ModuleState.cpp, which allows an attacker to cause a denial of service via a crafted caf file, as demonstrated by sfconvert.

Notes

AuthorNote
ebarretto
It looks like upstream is not active anymore, some of the open CVEs
have a proposed fix on a fork.
Marking as deferred for now.
Priority

Low

CVSS 3 base score: 6.5

Status

Package Release Status
audiofile
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Not vulnerable
(0.3.6-5)
focal Not vulnerable
(0.3.6-5)
groovy Not vulnerable
(0.3.6-5)
hirsute Not vulnerable
(0.3.6-5)
impish Not vulnerable
(0.3.6-5)
jammy Not vulnerable
(0.3.6-5)
precise Does not exist

trusty
Released (0.3.6-2ubuntu0.14.04.3)
upstream Needs triage

xenial Ignored
(end of standard support, was needed)
Patches:
upstream: https://github.com/wtay/audiofile/commit/fde6d79fb8363c4a329a184ef0b107156602b225