ID CVE-2017-18189
Summary In the startread function in xa.c in Sound eXchange (SoX) through 14.4.2, a corrupt header specifying zero channels triggers an infinite loop with a resultant NULL pointer dereference, which may allow a remote attacker to cause a denial-of-service.
References
Vulnerable Configurations
  • cpe:2.3:a:sound_exchange_project:sound_exchange:12.16:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:12.16:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:12.17:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:12.17:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.1:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.1:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.2:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.2:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.3:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.3:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.4:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.4:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.5:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.5:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.6:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.6:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.7:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.7:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.8:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.8:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.9:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:12.17.9:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:12.18.1:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:12.18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:12.18.2:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:12.18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:13.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:13.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:14.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:14.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:14.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:14.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:14.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:14.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:14.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:14.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:14.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:14.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:14.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:14.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:14.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:14.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:14.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:14.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:14.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:14.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:sound_exchange_project:sound_exchange:14.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:sound_exchange_project:sound_exchange:14.4.2:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 24-06-2021 - 15:16)
Impact:
Exploitability:
CWE CWE-476
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
advisories
bugzilla
id 1545866
title CVE-2017-18189 sox: NULL pointer dereference in startread function in xa.c
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 7 is installed
      oval oval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • comment sox is earlier than 0:14.4.1-7.el7
          oval oval:com.redhat.rhsa:tst:20192283001
        • comment sox is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20192283002
      • AND
        • comment sox-devel is earlier than 0:14.4.1-7.el7
          oval oval:com.redhat.rhsa:tst:20192283003
        • comment sox-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20192283004
rhsa
id RHSA-2019:2283
released 2019-08-06
severity Low
title RHSA-2019:2283: sox security update (Low)
rpms
  • sox-0:14.4.1-7.el7
  • sox-debuginfo-0:14.4.1-7.el7
  • sox-devel-0:14.4.1-7.el7
refmap via4
fedora
  • FEDORA-2020-1dfaa1963b
  • FEDORA-2020-cb7b7181a0
misc
mlist [debian-lts-announce] 20190228 [SECURITY] [DLA 1695-1] sox security update
Last major update 24-06-2021 - 15:16
Published 15-02-2018 - 10:29
Last modified 24-06-2021 - 15:16
Back to Top