Ubuntu update for sox
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2019-13590 CVE-2021-23159 CVE-2021-23172 CVE-2021-23210 CVE-2021-33844 CVE-2021-3643 CVE-2021-40426 CVE-2022-31650 CVE-2022-31651 |
| CWE-ID | CWE-476 CWE-122 CWE-369 CWE-125 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Ubuntu Operating systems & Components / Operating system libsox3 (Ubuntu package) Operating systems & Components / Operating system package or component sox (Ubuntu package) Operating systems & Components / Operating system package or component libsox2 (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) NULL pointer dereference
EUVDB-ID: #VU19252
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-13590
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in libsox.a file. A remote attacker can create a specially crafted file, trick the victim into opening it and perform a denial of service (DoS) attack.
MitigationUpdate the affected package sox to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.10
libsox3 (Ubuntu package): before 14.4.2+git20190427-2+deb11u2build0.20.04.1
sox (Ubuntu package): before Ubuntu Pro
libsox2 (Ubuntu package): before Ubuntu Pro
CPE2.3- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:22.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:libsox3_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:sox_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libsox2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5904-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Heap-based buffer overflow
EUVDB-ID: #VU73927
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-23159
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the lsx_read_w_buf() function in formats_i.c. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and crash the application.
Update the affected package sox to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.10
libsox3 (Ubuntu package): before 14.4.2+git20190427-2+deb11u2build0.20.04.1
sox (Ubuntu package): before Ubuntu Pro
libsox2 (Ubuntu package): before Ubuntu Pro
CPE2.3- cpe:2.3:o:canonical:libsox3_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:sox_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libsox2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5904-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Heap-based buffer overflow
EUVDB-ID: #VU73928
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-23172
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
Update the affected package sox to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.10
libsox3 (Ubuntu package): before 14.4.2+git20190427-2+deb11u2build0.20.04.1
sox (Ubuntu package): before Ubuntu Pro
libsox2 (Ubuntu package): before Ubuntu Pro
CPE2.3- cpe:2.3:o:canonical:libsox3_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:sox_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libsox2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5904-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Division by zero
EUVDB-ID: #VU73929
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-23210
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a divide by zero error within the read_samples() function in voc.c. A remote attacker can trick the victim to open a specially crafted file and crash the application.
Update the affected package sox to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.10
libsox3 (Ubuntu package): before 14.4.2+git20190427-2+deb11u2build0.20.04.1
sox (Ubuntu package): before Ubuntu Pro
libsox2 (Ubuntu package): before Ubuntu Pro
CPE2.3- cpe:2.3:o:canonical:libsox3_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:sox_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libsox2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5904-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Division by zero
EUVDB-ID: #VU73930
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-33844
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a divide by zero error within the startread() function in wav.c. A remote attacker can trick the victim to open a specially crafted file and crash the application. MitigationUpdate the affected package sox to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.10
libsox3 (Ubuntu package): before 14.4.2+git20190427-2+deb11u2build0.20.04.1
sox (Ubuntu package): before Ubuntu Pro
libsox2 (Ubuntu package): before Ubuntu Pro
CPE2.3- cpe:2.3:o:canonical:libsox3_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:sox_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libsox2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5904-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Out-of-bounds read
EUVDB-ID: #VU73932
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-3643
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the lsx_adpcm_init() function in libsox. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
MitigationUpdate the affected package sox to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.10
libsox3 (Ubuntu package): before 14.4.2+git20190427-2+deb11u2build0.20.04.1
sox (Ubuntu package): before Ubuntu Pro
libsox2 (Ubuntu package): before Ubuntu Pro
CPE2.3- cpe:2.3:o:canonical:libsox3_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:sox_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libsox2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5904-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Heap-based buffer overflow
EUVDB-ID: #VU61598
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-40426
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the sphere.c start_read() functionality. A remote attacker can use a specially crafted file, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package sox to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.10
libsox3 (Ubuntu package): before 14.4.2+git20190427-2+deb11u2build0.20.04.1
sox (Ubuntu package): before Ubuntu Pro
libsox2 (Ubuntu package): before Ubuntu Pro
CPE2.3- cpe:2.3:o:canonical:libsox3_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:sox_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libsox2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5904-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Input validation error
EUVDB-ID: #VU63803
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-31650
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a floating point exception in lsx_aiffstartwrite in aiff.c in libsox.a. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected package sox to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.10
libsox3 (Ubuntu package): before 14.4.2+git20190427-2+deb11u2build0.20.04.1
sox (Ubuntu package): before Ubuntu Pro
libsox2 (Ubuntu package): before Ubuntu Pro
CPE2.3- cpe:2.3:o:canonical:libsox3_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:sox_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libsox2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5904-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU63799
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-31651
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an assertion failure in rate_init in rate.c in libsox.a. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected package sox to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.10
libsox3 (Ubuntu package): before 14.4.2+git20190427-2+deb11u2build0.20.04.1
sox (Ubuntu package): before Ubuntu Pro
libsox2 (Ubuntu package): before Ubuntu Pro
CPE2.3- cpe:2.3:o:canonical:libsox3_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:sox_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libsox2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5904-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
