CVE-2019-8354Integer Overflow or Wraparound in Ubuntu Linux

CWE-190Integer Overflow or WraparoundCWE-787Out-of-bounds Write12 documents8 sources
Severity
5.0MEDIUMNVD
EPSS
0.7%
top 27.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Canonical Ubuntu LinuxDebian LinuxSound Exchange Project Sound Exchange
Timeline
PublishedFeb 15
Latest updateMay 13

Description

An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:HExploitability: 1.3 | Impact: 3.6

Affected Packages1 packages

Also affects: Debian Linux 8.0, Ubuntu Linux 16.04, 18.04, 19.04

🔴Vulnerability Details

5
GHSA
GHSA-7j68-5pq5-623j: An issue was discovered in SoX 142022-05-13
OSV
sox vulnerabilities2019-08-01
OSV
sox vulnerabilities2019-07-30
CVEList
CVE-2019-8354: An issue was discovered in SoX 142019-02-15
OSV
CVE-2019-8354: An issue was discovered in SoX 142019-02-15

📋Vendor Advisories

4
Ubuntu
SoX vulnerabilities2019-08-01
Ubuntu
SoX vulnerabilities2019-07-30
Red Hat
sox: integer overflow in function lsx_make_lpf in effect_i_dsp.c2019-02-07
Debian
CVE-2019-8354: sox - An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an int...2019

💬Community

2
Bugzilla
CVE-2019-8354 sox: integer overflow in function lsx_make_lpf in effect_i_dsp.c [fedora-all]2019-02-18
Bugzilla
CVE-2019-8354 sox: integer overflow in function lsx_make_lpf in effect_i_dsp.c2019-02-18
CVE-2019-8354 — Integer Overflow or Wraparound | cvebase