CVE-2019-3832

Published: 21 March 2019

It was discovered the fix for CVE-2018-19758 (libsndfile) was not complete and still allows a read beyond the limits of a buffer in wav_write_header() function in wav.c. A local attacker may use this flaw to make the application crash.

Priority

CVSS 3 base score: 5.0

Status

Package	Release	Status
libsndfile Launchpad, Ubuntu, Debian	bionic	Released (1.0.28-4ubuntu0.18.04.1)
	cosmic	Released (1.0.28-4ubuntu0.18.10.1)
	disco	Not vulnerable (1.0.28-6)
	eoan	Not vulnerable (1.0.28-6)
	focal	Not vulnerable (1.0.28-6)
	groovy	Not vulnerable (1.0.28-6)
	precise	Does not exist
	trusty	Released (1.0.25-7ubuntu2.2+esm1)
	upstream	Released (1.0.28-6)
	xenial	Released (1.0.25-10ubuntu0.16.04.2)

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3832
https://ubuntu.com/security/notices/USN-4013-1
https://ubuntu.com/security/notices/USN-4704-1
NVD
Launchpad
Debian

Bugs

https://github.com/erikd/libsndfile/issues/456#issuecomment-463542436

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›