Fedora 32 update for adplug, audacious-plugins, ocp
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 8 |
| CVE-ID | CVE-2019-14690 CVE-2019-14691 CVE-2019-14692 CVE-2019-14732 CVE-2019-14733 CVE-2019-14734 CVE-2019-15151 CVE-2018-17825 |
| CWE-ID | CWE-122 CWE-415 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #5 is available. Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available. Public exploit code for vulnerability #8 is available. |
| Vulnerable software |
Fedora Operating systems & Components / Operating system ocp Operating systems & Components / Operating system package or component audacious-plugins Operating systems & Components / Operating system package or component adplug Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 8 vulnerabilities.
1) Heap-based buffer overflow
EUVDB-ID: #VU20333
Risk: Medium
CVSSv4.0: 6.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-14690
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the CxadbmfPlayer::__bmf_convert_stream() in bmf.cpp. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 32
ocp: before 0.1.22-0.28.git849cc42.fc32
audacious-plugins: before 3.10.1-7.fc32
adplug: before 2.3.3-1.fc32
CPE2.3- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:ocp:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:audacious-plugins:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:adplug:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2021-24ef21134b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Heap-based buffer overflow
EUVDB-ID: #VU20334
Risk: Medium
CVSSv4.0: 6.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-14691
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the CdtmLoader::load() in dtm.cpp. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 32
ocp: before 0.1.22-0.28.git849cc42.fc32
audacious-plugins: before 3.10.1-7.fc32
adplug: before 2.3.3-1.fc32
CPE2.3- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:ocp:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:audacious-plugins:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:adplug:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2021-24ef21134b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Heap-based buffer overflow
EUVDB-ID: #VU20335
Risk: High
CVSSv4.0: 7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2019-14692
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the CmkjPlayer::load() in mkj.cpp. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 32
ocp: before 0.1.22-0.28.git849cc42.fc32
audacious-plugins: before 3.10.1-7.fc32
adplug: before 2.3.3-1.fc32
CPE2.3- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:ocp:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:audacious-plugins:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:adplug:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2021-24ef21134b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Heap-based buffer overflow
EUVDB-ID: #VU20330
Risk: Medium
CVSSv4.0: 6.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-14732
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Ca2mLoader::load() in a2m.cpp. A remote attacker can create a specially crafted media file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 32
ocp: before 0.1.22-0.28.git849cc42.fc32
audacious-plugins: before 3.10.1-7.fc32
adplug: before 2.3.3-1.fc32
CPE2.3- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:ocp:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:audacious-plugins:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:adplug:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2021-24ef21134b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) Heap-based buffer overflow
EUVDB-ID: #VU20331
Risk: Medium
CVSSv4.0: 6.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-14733
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in CradLoader::load() in rad.cpp. A remote attacker can create a specially crafted media file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 32
ocp: before 0.1.22-0.28.git849cc42.fc32
audacious-plugins: before 3.10.1-7.fc32
adplug: before 2.3.3-1.fc32
CPE2.3- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:ocp:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:audacious-plugins:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:adplug:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2021-24ef21134b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
6) Heap-based buffer overflow
EUVDB-ID: #VU20332
Risk: Medium
CVSSv4.0: 6.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-14734
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the CmtkLoader::load() in mtk.cpp. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 32
ocp: before 0.1.22-0.28.git849cc42.fc32
audacious-plugins: before 3.10.1-7.fc32
adplug: before 2.3.3-1.fc32
CPE2.3- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:ocp:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:audacious-plugins:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:adplug:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2021-24ef21134b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Double Free
EUVDB-ID: #VU20329
Risk: High
CVSSv4.0: 7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2019-15151
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the Cu6mPlayer class in u6m.h. A remote attacker can create a specially crafted media file, trick the victim into opening it, trigger double free error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 32
ocp: before 0.1.22-0.28.git849cc42.fc32
audacious-plugins: before 3.10.1-7.fc32
adplug: before 2.3.3-1.fc32
CPE2.3- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:ocp:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:audacious-plugins:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:adplug:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2021-24ef21134b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
8) Double Free
EUVDB-ID: #VU20336
Risk: High
CVSSv4.0: 7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2018-17825
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in CEmuopl class in emuopl.cpp. A remote attacker can create a specially crafted media file, trick the victim into opening it, trigger double free error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 32
ocp: before 0.1.22-0.28.git849cc42.fc32
audacious-plugins: before 3.10.1-7.fc32
adplug: before 2.3.3-1.fc32
CPE2.3- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:ocp:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:audacious-plugins:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:adplug:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2021-24ef21134b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
