SB2018073047 - Memory corruption in libvorbis (Alpine package)
Published: July 30, 2018
Security Bulletin ID
SB2018073047
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Memory corruption (CVE-ID: CVE-2018-10392)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to improper validation of the number of channels by mapping0_forward in mapping0.c in Xiph.Org libvorbis. A remote unauthenticated attacker can send a specially crafted file, trigger heap-based buffer overflow or over-read and cause the service to crash.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=7949785cc3641c3b10d47094891a572dc812c908
- https://git.alpinelinux.org/aports/commit/?id=7ef3db11e4782e5befdfc5296254950cebc733a8
- https://git.alpinelinux.org/aports/commit/?id=5c3a29b4196039bf3682e700f57695606a6316af
- https://git.alpinelinux.org/aports/commit/?id=027d59423eaaa922fe6544fb90de8075cf7fb257
- https://git.alpinelinux.org/aports/commit/?id=1d4e07ef727bce9bd28bc73d39003c412bfcefb9
- https://git.alpinelinux.org/aports/commit/?id=5983135b6f8ff43b5717897e8b6b8a3bd376543d
- https://git.alpinelinux.org/aports/commit/?id=602d91945a5a2a9e239d0dd0d65f7d8219105767
- https://git.alpinelinux.org/aports/commit/?id=e0d5deae108e57c22e638a24118d0850b0ab09a7