Heap-based buffer overflow in libsndfile (Alpine package)

1) Heap-based buffer overflow

EUVDB-ID: #VU6884

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-8363

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to heap-based buffer over-read in the flac_buffer_copy function in flac.c in libsndfile. A remote attacker can send a specially crafted audio file, trick the victim into opening it, trigger memory corruption and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation

Install update from vendor's website.

Vulnerable software versions

libsndfile (Alpine package): 1.0.28-r0

CPE2.3

• cpe:2.3:o:alpine:libsndfile_alpine_package:1.0.28-r0:*:*:*:*:alpine_linux:*:

External links

http://git.alpinelinux.org/aports/commit/?id=2272f43516da3b21db1048c3b8ffdc96a084c175
http://git.alpinelinux.org/aports/commit/?id=8d4f547db4d45aa603aefd35027f5fb0166de529
http://git.alpinelinux.org/aports/commit/?id=f112dfcc1ff8e00843268088fc3427501a43505b
http://git.alpinelinux.org/aports/commit/?id=49b4ba77c180eea380f7eb5db100fc83162143e5
http://git.alpinelinux.org/aports/commit/?id=56b47c6467c8479db58029d1c52a3981c29fc634
http://git.alpinelinux.org/aports/commit/?id=9da648263f0617be34a73ea0898db64ebf78129f
http://git.alpinelinux.org/aports/commit/?id=d0b1ecd5f1f7ff44100af83e91b65c66a5dae123

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.