Date: Wed, 22 Jul 2015 19:55:42 +0200 From: Michele Spagnuolo <mikispag@...il.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Multiple memory corruption vulnerabilities in SoX 14.4.2 Hello, I would like to report publicly new memory corruption vulnerabilities in the latest SoX, 14.4.2 - these have been reported in April 2015 through oCERT, but they have notified me they still haven't received a response from upstream. Please see this shared folder, visible to anybody with the link: https://drive.google.com/folderview?id=0B52EFul-UCEIflZhcjlrRGlqcWdER2xJZWR4dmVUQ1RaRGl6a09sbVdGYjg2MER6OHl3aUU&usp=sharing The write heap buffer overflows are related to ADPCM handling in WAV files, while the read heap buffer overflow is while opening a .VOC. For each crash, you have the input file and a .txt with the ASAN output. Thanks, Michele Spagnuolo Google Security Team CVE-ASSIGN: Please assign CVEs. Thanks.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ