Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Jul 2015 19:55:42 +0200
From: Michele Spagnuolo <mikispag@...il.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Multiple memory corruption vulnerabilities in SoX 14.4.2

​Hello,

I would like to report publicly new memory corruption vulnerabilities in
the latest SoX, 14.4.2 - these have been reported in April 2015 through
oCERT, but they have notified me they still haven't received a response
from upstream.

Please see this shared folder, visible to anybody with the link:
https://drive.google.com/folderview?id=0B52EFul-UCEIflZhcjlrRGlqcWdER2xJZWR4dmVUQ1RaRGl6a09sbVdGYjg2MER6OHl3aUU&usp=sharing

The write heap buffer overflows are related to ADPCM handling in WAV files,
while the read heap buffer overflow is while opening a .VOC.

For each crash, you have the input file and a .txt with the ASAN output.

Thanks,
Michele Spagnuolo
Google Security Team​

CVE-ASSIGN: Please assign CVEs. Thanks.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ