CVE-2018-14332

NameCVE-2018-14332
DescriptionAn issue was discovered in Clementine Music Player 1.3.1. Clementine.exe is vulnerable to a user mode write access violation due to a NULL pointer dereference in the Init call in the MoodbarPipeline::NewPadCallback function in moodbar/moodbarpipeline.cpp. The vulnerability is triggered when the user opens a malformed mp3 file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
clementine (PTS)buster1.3.1+git609-g623a53681+dfsg-1vulnerable
bullseye1.4.0~rc1+git347-gfc4cb6fc7+dfsg-1+deb11u1vulnerable
bookworm, sid1.4.0~rc1+git867-g9ef681b0e+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
clementinesource(unstable)(unfixed)unimportant

Notes

https://github.com/clementine-player/Clementine/issues/6078
https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2018-14332
Crash in enduser tool, no security impact
Search for package or bug name: Reporting problems