Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201602-8 ======================================== Severity: Medium Date : 2016-02-06 CVE-ID : CVE-2014-9496 CVE-2014-9756 CVE-2015-7805 Package : libsndfile Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/title/CVE Summary ====== The package libsndfile before version 1.0.26-1 is vulnerable to multiple issues including denial of service and unspecified impact. Resolution ========= Upgrade to 1.0.26-1. # pacman -Syu "libsndfile>=1.0.26-1" The problems have been fixed upstream in version 1.0.26. Workaround ========= None. Description ========== - CVE-2014-9496 (unspecified impact) The sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attackers to have unspecified impact via vectors related to a (1) map offset or (2) rsrc marker, which triggers an out-of-bounds read. - CVE-2014-9756 (denial of service) The psf_fwrite function in file_io.c in libsndfile allows attackers to cause a denial of service (divide-by-zero error and application crash) via unspecified vectors related to the headindex variable. - CVE-2015-7805 (unspecified impact) Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file. Impact ===== A remote attacker could be able to have unspecified impact on the running application. Furthermore a local attacker is able to crash the running application by causing a divide-by-zero error. References ========= https://access.redhat.com/security/cve/CVE-2014-9496 https://access.redhat.com/security/cve/CVE-2014-9756 https://access.redhat.com/security/cve/CVE-2015-7805