Your submission was sent successfully! Close

CVE-2018-17095

Published: 16 September 2018

An issue has been discovered in mpruett Audio File Library (aka audiofile) 0.3.6, 0.3.5, 0.3.4, 0.3.3, 0.3.2, 0.3.1, 0.3.0. A heap-based buffer overflow in Expand3To4Module::run has occurred when running sfconvert.

Notes

AuthorNote
mdeslaur
no fix as of 2018-09-18
ebarretto
It looks like upstream is not active anymore, some of the open CVEs
have a proposed fix on a fork.
Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
audiofile
Launchpad, Ubuntu, Debian
bionic Deferred
(2018-09-18)
cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Not vulnerable
(0.3.6-5)
focal Not vulnerable
(0.3.6-5build1)
groovy Not vulnerable
(0.3.6-5build1)
hirsute Not vulnerable
(0.3.6-5build1)
impish Not vulnerable
(0.3.6-5build1)
jammy Not vulnerable
(0.3.6-5build1)
precise Does not exist

trusty
Released (0.3.6-2ubuntu0.14.04.3)
upstream Needs triage

xenial Ignored
(end of standard support, was deferred [2018-09-18])
Patches:
upstream: https://github.com/wtay/audiofile/commit/822b732fd31ffcb78f6920001e9b1fbd815fa712