CVE-2019-8355 - OpenCVE

An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Sound Exchange Project	Sound Exchange

Configuration 1 [-]

cpe:2.3:a:sound_exchange_project:sound_exchange:14.4.2:*:*:*:*:*:*:*

References

Link	Resource
https://lists.debian.org/debian-lts-announce/2019/05/msg00040.html
https://sourceforge.net/p/sox/bugs/320	Third Party Advisory
https://usn.ubuntu.com/4079-1/
https://usn.ubuntu.com/4079-2/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-02-15T23:00:00

Updated: 2019-08-02T02:06:05

Reserved: 2019-02-15T00:00:00

Link: CVE-2019-8355

JSON object: View

NVD Information

Status : Modified

Published: 2019-02-15T23:29:00.307

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-8355

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-02-15T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-02T02:06:05", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://sourceforge.net/p/sox/bugs/320"}, {"name": "[debian-lts-announce] 20190528 [SECURITY] [DLA 1808-1] sox security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00040.html"}, {"name": "USN-4079-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4079-1/"}, {"name": "USN-4079-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4079-2/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-8355", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://sourceforge.net/p/sox/bugs/320", "refsource": "MISC", "url": "https://sourceforge.net/p/sox/bugs/320"}, {"name": "[debian-lts-announce] 20190528 [SECURITY] [DLA 1808-1] sox security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00040.html"}, {"name": "USN-4079-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4079-1/"}, {"name": "USN-4079-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4079-2/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-8355", "datePublished": "2019-02-15T23:00:00", "dateReserved": "2019-02-15T00:00:00", "dateUpdated": "2019-08-02T02:06:05", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sound_exchange_project:sound_exchange:14.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "C99FA8E2-5333-47D1-AC0D-5C3FF7DF8D75", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c."}, {"lang": "es", "value": "Se ha descubierto un problema en SoX 14.4.2. En xmalloc.h, hay un desbordamiento de enteros en el resultado de la multiplicaci\u00f3n que se proporciona a la macro lsx_valloc que envuelve a malloc. Cuando el b\u00fafer se asigna, es m\u00e1s peque\u00f1o de lo esperado, lo que conduce a un desbordamiento de b\u00fafer basado en memoria din\u00e1mica (heap) en channels_start en remix.c."}], "id": "CVE-2019-8355", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-15T23:29:00.307", "references": [{"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00040.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://sourceforge.net/p/sox/bugs/320"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/4079-1/"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/4079-2/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}