ALAS2-2020-1501


Amazon Linux 2 Security Advisory: ALAS-2020-1501
Advisory Release Date: 2020-10-22 17:18 Pacific
Advisory Updated Date: 2020-10-22 22:43 Pacific
Severity: Medium

Issue Overview:

The audiofile Audio File Library 0.3.6 has a NULL pointer dereference bug in ModuleState::setup in modules/ModuleState.cpp, which allows an attacker to cause a denial of service via a crafted caf file, as demonstrated by sfconvert. (CVE-2018-13440)

An issue has been discovered in mpruett Audio File Library (aka audiofile) 0.3.6. A heap-based buffer overflow in Expand3To4Module::run has occurred when running sfconvert. (CVE-2018-17095)


Affected Packages:

audiofile


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update audiofile to update your system.

New Packages:
aarch64:
    audiofile-0.3.6-9.amzn2.aarch64
    audiofile-devel-0.3.6-9.amzn2.aarch64
    audiofile-debuginfo-0.3.6-9.amzn2.aarch64

i686:
    audiofile-0.3.6-9.amzn2.i686
    audiofile-devel-0.3.6-9.amzn2.i686
    audiofile-debuginfo-0.3.6-9.amzn2.i686

src:
    audiofile-0.3.6-9.amzn2.src

x86_64:
    audiofile-0.3.6-9.amzn2.x86_64
    audiofile-devel-0.3.6-9.amzn2.x86_64
    audiofile-debuginfo-0.3.6-9.amzn2.x86_64