CVE-2008-5824
published 2009-01-02CVE-2008-5824: Heap-based buffer overflow in msadpcm.c in libaudiofile in audiofile 0.2.6 allows context-dependent attackers to cause a denial of service (application crash)…
PriorityP334medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
6.02%
92.4th percentile
Heap-based buffer overflow in msadpcm.c in libaudiofile in audiofile 0.2.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WAV file.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 68k | audiofile | — | — |
| audiofile | audiofile | >= 0 < 0.2.6-7.1 | 0.2.6-7.1 |
| audiofile | audiofile | >= 0 < 0.2.6-7.1 | 0.2.6-7.1 |
| audiofile | audiofile | >= 0 < 0.2.6-7.1 | 0.2.6-7.1 |
| audiofile | audiofile | >= 0 < 0.2.6-7.1 | 0.2.6-7.1 |
| debian | audiofile | < audiofile 0.2.6-7.1 (bookworm) | audiofile 0.2.6-7.1 (bookworm) |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Audio File Library vulnerability
vendor_ubuntu·2010-03-16
CVE-2008-5824 Audio File Library vulnerability
Title: Audio File Library vulnerability
Summary: Audio File Library vulnerability
It was discovered that Audio File Library contained a heap-based buffer
overflow. If a user or automated system processed a crafted WAV file, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the
program. The default compiler options for Ubuntu should reduce this
vulnerability to a denial of service.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution)
vendor_redhat·2008-12-30·CVSS 6.8
CVE-2008-5824 [MEDIUM] CWE-122 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution)
audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution)
Heap-based buffer overflow in msadpcm.c in libaudiofile in audiofile 0.2.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WAV file.
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Package: audiofile (Red Hat Enterprise Linux 4) - Will not fix
Package: audiofile (Red Hat Enterprise Linux 5) - Will not fix
Package: audiofile (Red Hat Enterprise Linux 6) - Will not
Debian
CVE-2008-5824: audiofile - Heap-based buffer overflow in msadpcm.c in libaudiofile in audiofile 0.2.6 allow...
vendor_debian·2008·CVSS 6.8
CVE-2008-5824 [MEDIUM] CVE-2008-5824: audiofile - Heap-based buffer overflow in msadpcm.c in libaudiofile in audiofile 0.2.6 allow...
Heap-based buffer overflow in msadpcm.c in libaudiofile in audiofile 0.2.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WAV file.
Scope: local
bookworm: resolved (fixed in 0.2.6-7.1)
bullseye: resolved (fixed in 0.2.6-7.1)
forky: resolved (fixed in 0.2.6-7.1)
sid: resolved (fixed in 0.2.6-7.1)
trixie: resolved (fixed in 0.2.6-7.1)
GHSA
GHSA-wj2h-43mg-5f25: Heap-based buffer overflow in msadpcm
ghsa_unreviewed·2022-05-17
CVE-2008-5824 [MEDIUM] CWE-119 GHSA-wj2h-43mg-5f25: Heap-based buffer overflow in msadpcm
Heap-based buffer overflow in msadpcm.c in libaudiofile in audiofile 0.2.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WAV file.
OSV
CVE-2008-5824: Heap-based buffer overflow in msadpcm
osv·2009-01-02·CVSS 6.8
CVE-2008-5824 [MEDIUM] CVE-2008-5824: Heap-based buffer overflow in msadpcm
Heap-based buffer overflow in msadpcm.c in libaudiofile in audiofile 0.2.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WAV file.
No detection rules found.
Bugzilla
CVE-2008-5824 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution) [fedora-all]
bugzilla·2010-12-24·CVSS 6.8
CVE-2008-5824 [MEDIUM] CVE-2008-5824 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution) [fedora-all]
CVE-2008-5824 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security
Bugzilla
CVE-2008-5824 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution) [F10]
bugzilla·2009-01-30·CVSS 6.8
CVE-2008-5824 [MEDIUM] CVE-2008-5824 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution) [F10]
CVE-2008-5824 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution) [F10]
F10 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '10'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fe
Bugzilla
CVE-2008-5824 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution) [F9]
bugzilla·2009-01-30·CVSS 6.8
CVE-2008-5824 [MEDIUM] CVE-2008-5824 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution) [F9]
CVE-2008-5824 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution) [F9]
F9 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '9'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora
Bugzilla
CVE-2008-5824 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution) [Fdevel]
bugzilla·2009-01-30·CVSS 6.8
CVE-2008-5824 [MEDIUM] CVE-2008-5824 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution) [Fdevel]
CVE-2008-5824 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution) [Fdevel]
Fdevel tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
---
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug
Bugzilla
CVE-2008-5824 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution)
bugzilla·2009-01-14·CVSS 6.8
CVE-2008-5824 [MEDIUM] CVE-2008-5824 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution)
CVE-2008-5824 audiofile: heap-based overflow in Microsoft ADPCM compression module (app crash, arb. code execution)
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5824 to
the following vulnerability:
Heap-based buffer overflow in msadpcm.c in libaudiofile in audiofile
0.2.6 allows context-dependent attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via a crafted
WAV file.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5824
http://openwall.com/lists/oss-security/2008/12/30/1
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510205
http://musicpd.org/mantis/view.php?id=1915
PoC:
http://filebin.ca/meqmyu/max_theme.wav
Note: The Debian patch at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510205http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.htmlhttp://musicpd.org/mantis/view.php?id=1915http://openwall.com/lists/oss-security/2008/12/30/1http://secunia.com/advisories/33273http://www.securityfocus.com/bid/33066http://www.ubuntu.com/usn/USN-912-1http://www.vupen.com/english/advisories/2009/0005http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510205http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.htmlhttp://musicpd.org/mantis/view.php?id=1915http://openwall.com/lists/oss-security/2008/12/30/1http://secunia.com/advisories/33273http://www.securityfocus.com/bid/33066http://www.ubuntu.com/usn/USN-912-1http://www.vupen.com/english/advisories/2009/0005
2009-01-02
Published