Source: libsndfile Version: 1.0.28-4 Severity: important Tags: security upstream Forwarded: https://github.com/erikd/libsndfile/issues/344
Hi, the following vulnerabilities were published for libsndfile. CVE-2017-17456[0]: | The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may lead | to a remote DoS attack (SEGV on unknown address 0x000000000000), a | different vulnerability than CVE-2017-14245. CVE-2017-17457[1]: | The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead | to a remote DoS attack (SEGV on unknown address 0x000000000000), a | different vulnerability than CVE-2017-14246. Note, as mentioned in the CVE assingments, that are different from CVE-2017-14245 and CVE-2017-14246, crash poc files are attaced to upstream bug report and demostrable with e.g. an ASAN build of libsndfile. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-17456 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17456 [1] https://security-tracker.debian.org/tracker/CVE-2017-17457 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17457 Please adjust the affected versions in the BTS as needed. Regards, Salvatore _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
