Security update for libsndfile SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1107-1 Final 1 1 2017-04-26T12:11:27Z current 2017-04-26T12:11:27Z 2017-04-26T12:11:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libsndfile This update for libsndfile fixes the following security issues: - CVE-2017-7586: A stack-based buffer overflow via a specially crafted FLAC file was fixed (error in the 'header_read()' function) (bsc#1033053) - CVE-2017-7585,CVE-2017-7741, CVE-2017-7742: Several stack-based buffer overflows via a specially crafted FLAC file (error in the 'flac_buffer_copy()' function) were fixed (bsc#1033054,bsc#1033915,bsc#1033914). This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-04/msg00096.html E-Mail link for openSUSE-SU-2017:1107-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 libsndfile-1.0.25-26.3.1 libsndfile-devel-1.0.25-26.3.1 libsndfile-progs-1.0.25-26.3.1 libsndfile1-1.0.25-26.3.1 libsndfile1-32bit-1.0.25-26.3.1 libsndfile-1.0.25-26.3.1 as a component of openSUSE Leap 42.1 libsndfile-devel-1.0.25-26.3.1 as a component of openSUSE Leap 42.1 libsndfile-progs-1.0.25-26.3.1 as a component of openSUSE Leap 42.1 libsndfile1-1.0.25-26.3.1 as a component of openSUSE Leap 42.1 libsndfile1-32bit-1.0.25-26.3.1 as a component of openSUSE Leap 42.1 libsndfile-1.0.25-26.3.1 as a component of openSUSE Leap 42.2 libsndfile-devel-1.0.25-26.3.1 as a component of openSUSE Leap 42.2 libsndfile-progs-1.0.25-26.3.1 as a component of openSUSE Leap 42.2 libsndfile1-1.0.25-26.3.1 as a component of openSUSE Leap 42.2 libsndfile1-32bit-1.0.25-26.3.1 as a component of openSUSE Leap 42.2 In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file. CVE-2017-7585 openSUSE Leap 42.1:libsndfile-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile-devel-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile-progs-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile1-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile1-32bit-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile-devel-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile-progs-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile1-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile1-32bit-1.0.25-26.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-04/msg00096.html https://www.suse.com/security/cve/CVE-2017-7585.html CVE-2017-7585 https://bugzilla.suse.com/1033054 SUSE Bug 1033054 https://bugzilla.suse.com/1033914 SUSE Bug 1033914 https://bugzilla.suse.com/1033915 SUSE Bug 1033915 In libsndfile before 1.0.28, an error in the "header_read()" function (common.c) when handling ID3 tags can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file. CVE-2017-7586 openSUSE Leap 42.1:libsndfile-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile-devel-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile-progs-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile1-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile1-32bit-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile-devel-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile-progs-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile1-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile1-32bit-1.0.25-26.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-04/msg00096.html https://www.suse.com/security/cve/CVE-2017-7586.html CVE-2017-7586 https://bugzilla.suse.com/1033053 SUSE Bug 1033053 In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with write memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. CVE-2017-7741 openSUSE Leap 42.1:libsndfile-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile-devel-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile-progs-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile1-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile1-32bit-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile-devel-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile-progs-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile1-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile1-32bit-1.0.25-26.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-04/msg00096.html https://www.suse.com/security/cve/CVE-2017-7741.html CVE-2017-7741 https://bugzilla.suse.com/1033054 SUSE Bug 1033054 https://bugzilla.suse.com/1033915 SUSE Bug 1033915 In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with read memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. CVE-2017-7742 openSUSE Leap 42.1:libsndfile-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile-devel-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile-progs-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile1-1.0.25-26.3.1 openSUSE Leap 42.1:libsndfile1-32bit-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile-devel-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile-progs-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile1-1.0.25-26.3.1 openSUSE Leap 42.2:libsndfile1-32bit-1.0.25-26.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-04/msg00096.html https://www.suse.com/security/cve/CVE-2017-7742.html CVE-2017-7742 https://bugzilla.suse.com/1033054 SUSE Bug 1033054 https://bugzilla.suse.com/1033914 SUSE Bug 1033914