Main Vulnerability Database Vulnerabilities #VU15679

Heap-based buffer overflow in audiofile - CVE-2018-17095

Published: November 1, 2018

Vulnerability identifier: #VU15679

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2018-17095

CWE-ID: CWE-122

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Michael Pruett

Affected software:
audiofile

Detailed vulnerability description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists in the ModuleState::setup function due to a heap-based buffer overflow condition that occurs when running sfconvert. A remote attacker can trick the victim into opening or executing a specially crafted file that submits malicious input, trigger memory corruption and cause the service to crash or execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

How to mitigate CVE-2018-17095

Update to version 0.3.6-2.

Sources

https://github.com/mpruett/audiofile/issues/50

Heap-based buffer overflow in audiofile - CVE-2018-17095

Detailed vulnerability description

How to mitigate CVE-2018-17095

Sources

Please verify you're human