CVE-2018-14332

NameCVE-2018-14332
DescriptionAn issue was discovered in Clementine Music Player 1.3.1. Clementine.exe is vulnerable to a user mode write access violation due to a NULL pointer dereference in the Init call in the MoodbarPipeline::NewPadCallback function in moodbar/moodbarpipeline.cpp. The vulnerability is triggered when the user opens a malformed mp3 file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow (attack range: local)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
clementine (PTS)jessie1.2.3+dfsg-2vulnerable
stretch1.3.1+git276-g3485bbe43+dfsg-1vulnerable
buster, sid1.3.1+git609-g623a53681+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
clementinesource(unstable)(unfixed)unimportant

Notes

https://github.com/clementine-player/Clementine/issues/6078
https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2018-14332
Crash in enduser tool, no security impact

Search for package or bug name: Reporting problems