SB2018031647 - Buffer overflow in libvorbis (Alpine package)
Published: March 16, 2018
Security Bulletin ID
SB2018031647
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Buffer overflow (CVE-ID: CVE-2018-5146)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing Vorbis audio within libvorbis library. A remote unauthenticated attacker can create a specially crafted HTML page, trick the victim into opening it, trigger out-of-bounds write and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=7ef3db11e4782e5befdfc5296254950cebc733a8
- https://git.alpinelinux.org/aports/commit/?id=027d59423eaaa922fe6544fb90de8075cf7fb257
- https://git.alpinelinux.org/aports/commit/?id=4c88d6e438038dd3f6edd42b97421d650984659a
- https://git.alpinelinux.org/aports/commit/?id=d306aa6cfcff4a7559cb685f450de8970e6cc399
- https://git.alpinelinux.org/aports/commit/?id=e408a1ad1a359d037188ea51cc2b0aa052218846
- https://git.alpinelinux.org/aports/commit/?id=f77113ff5f50a2b6e8a207bae850994250dec650