Amazon Linux 2 Security Advisory: ALAS-2020-1501
Advisory Release Date: 2020-10-22 17:18 Pacific
Advisory Updated Date: 2020-10-22 22:43 Pacific
Severity:
Medium
Issue Overview:
The audiofile Audio File Library 0.3.6 has a NULL pointer dereference bug in ModuleState::setup in modules/ModuleState.cpp, which allows an attacker to cause a denial of service via a crafted caf file, as demonstrated by sfconvert. (CVE-2018-13440)
An issue has been discovered in mpruett Audio File Library (aka audiofile) 0.3.6. A heap-based buffer overflow in Expand3To4Module::run has occurred when running sfconvert. (CVE-2018-17095)
Affected Packages:
audiofile
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update audiofile to update your system.
New Packages:
aarch64:
audiofile-0.3.6-9.amzn2.aarch64
audiofile-devel-0.3.6-9.amzn2.aarch64
audiofile-debuginfo-0.3.6-9.amzn2.aarch64
i686:
audiofile-0.3.6-9.amzn2.i686
audiofile-devel-0.3.6-9.amzn2.i686
audiofile-debuginfo-0.3.6-9.amzn2.i686
src:
audiofile-0.3.6-9.amzn2.src
x86_64:
audiofile-0.3.6-9.amzn2.x86_64
audiofile-devel-0.3.6-9.amzn2.x86_64
audiofile-debuginfo-0.3.6-9.amzn2.x86_64