CVE-2019-8354

Priority
Description
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has
an integer overflow on the result of multiplication fed into malloc. When
the buffer is allocated, it is smaller than expected, leading to a
heap-based buffer overflow.
Ubuntu-Description
It was discovered that SoX incorrectly handled certain MP3 files. An attacker
could possibly use this issue to cause a denial of service. (CVE-2019-8354,
CVE-2019-8355, CVE-2019-8356, CVE-2019-8357)
Package
Source: sox (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):released (14.4.1-5+deb8u4ubuntu0.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (14.4.2-3ubuntu0.18.04.1)
Ubuntu 19.04 (Disco Dingo):released (14.4.2-3ubuntu0.19.04.1)
Ubuntu 19.10 (Eoan):released (14.4.2+git20190427-1)
More Information

Updated: 2019-08-16 15:14:25 UTC (commit 5361c67d07aa5974ee5576195f5ae50712d72c5c)