Bug 1174792 (CVE-2014-8145)
Summary: | CVE-2014-8145 sox: two heap out-of-bounds access issues (oCERT-2014-010) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | carnil, security-response-team | ||||||
Target Milestone: | --- | Keywords: | Reopened, Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: |
It was discovered that SoX did not correctly process NIST Sphere and WAV audio files. By tricking a victim into processing a specially crafted NIST Sphere or WAV audio file, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running SoX.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2021-06-14 15:04:11 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1184079 | ||||||||
Bug Blocks: | 1174802 | ||||||||
Attachments: |
|
Description
Tomas Hoger
2014-12-16 13:54:13 UTC
Created attachment 969552 [details]
Upstream patch 1 - 0001-Check-for-minimum-size-sphere-headers
Upstream patch provided with the report
Created attachment 969553 [details]
Upstream patch 2 - 0002-More-checks-for-invalid-MS-ADPCM-blocks
Upstream patch provided with the report
The report does not indicate if the above two patches only address 2 heap OOB access issues, or if they should address NULL deref and division by zero issues. External Reference: http://www.ocert.org/advisories/ocert-2014-010.html Created sox tracking bugs for this issue: Affects: fedora-all [bug 1184079] sox-14.4.1-7.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. The patches above fix the 2 OOB write issues. The other issues are without any security impact in this case, but they appear to be unfixed. Statement: This issue affects the versions of sox as shipped with Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2014-8145 |