CVE-2018-17095

Published: 16 September 2018

An issue has been discovered in mpruett Audio File Library (aka audiofile) 0.3.6, 0.3.5, 0.3.4, 0.3.3, 0.3.2, 0.3.1, 0.3.0. A heap-based buffer overflow in Expand3To4Module::run has occurred when running sfconvert.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
audiofile
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri) Not vulnerable
(0.3.6-5build1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(0.3.6-5build1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(0.3.6-5build1)
Ubuntu 18.04 LTS (Bionic Beaver) Deferred
(2018-09-18)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was deferred [2018-09-18])
Ubuntu 14.04 ESM (Trusty Tahr)
Released (0.3.6-2ubuntu0.14.04.3)
Patches:
Upstream: https://github.com/wtay/audiofile/commit/822b732fd31ffcb78f6920001e9b1fbd815fa712

Notes

AuthorNote
mdeslaur
no fix as of 2018-09-18
ebarretto
It looks like upstream is not active anymore, some of the open CVEs
have a proposed fix on a fork.

References

Bugs