Date: Thu, 23 Jul 2015 15:39:32 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r392732 - head/security/vuxml Message-ID: <201507231539.t6NFdWu8018900@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Thu Jul 23 15:39:31 2015 New Revision: 392732 URL: https://svnweb.freebsd.org/changeset/ports/392732 Log: Document buffer overflow vulnerabilities in SoX PR: 201778 CVE: CVE-2014-8145 Security: 9dd761ff-30cb-11e5-a4a5-002590263bf5 Security: 92cda470-30cb-11e5-a4a5-002590263bf5 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Jul 23 15:26:55 2015 (r392731) +++ head/security/vuxml/vuln.xml Thu Jul 23 15:39:31 2015 (r392732) @@ -58,6 +58,64 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="9dd761ff-30cb-11e5-a4a5-002590263bf5"> + <topic>sox -- memory corruption vulnerabilities</topic> + <affects> + <package> + <name>sox</name> + <range><le>14.4.2</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Michele Spagnuolo, Google Security Team, reports:</p> + <blockquote cite="http://seclists.org/oss-sec/2015/q3/167"> + <p>The write heap buffer overflows are related to ADPCM handling in + WAV files, while the read heap buffer overflow is while opening a + .VOC.</p> + </blockquote> + </body> + </description> + <references> + <url>http://seclists.org/oss-sec/2015/q3/167</url> + </references> + <dates> + <discovery>2015-07-22</discovery> + <entry>2015-07-23</entry> + </dates> + </vuln> + + <vuln vid="92cda470-30cb-11e5-a4a5-002590263bf5"> + <topic>sox -- input sanitization errors</topic> + <affects> + <package> + <name>sox</name> + <range><lt>14.4.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>oCERT reports:</p> + <blockquote cite="http://www.ocert.org/advisories/ocert-2014-010.html"> + <p>The sox command line tool is affected by two heap-based buffer + overflows, respectively located in functions start_read() and + AdpcmReadBlock().</p> + <p>A specially crafted wav file can be used to trigger the + vulnerabilities.</p> + </blockquote> + </body> + </description> + <references> + <bid>71774</bid> + <cvename>CVE-2014-8145</cvename> + <url>http://www.ocert.org/advisories/ocert-2014-010.html</url> + </references> + <dates> + <discovery>2014-11-20</discovery> + <entry>2015-07-23</entry> + </dates> + </vuln> + <vuln vid="95eee71d-3068-11e5-a9b5-bcaec565249c"> <topic>gdk-pixbuf2 -- heap overflow and DoS affecting Firefox and other programs</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507231539.t6NFdWu8018900>