Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Jul 2015 19:55:42 +0200
From: Michele Spagnuolo <>
Subject: Multiple memory corruption vulnerabilities in SoX 14.4.2


I would like to report publicly new memory corruption vulnerabilities in
the latest SoX, 14.4.2 - these have been reported in April 2015 through
oCERT, but they have notified me they still haven't received a response
from upstream.

Please see this shared folder, visible to anybody with the link:

The write heap buffer overflows are related to ADPCM handling in WAV files,
while the read heap buffer overflow is while opening a .VOC.

For each crash, you have the input file and a .txt with the ASAN output.

Michele Spagnuolo
Google Security Team​

CVE-ASSIGN: Please assign CVEs. Thanks.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ