CVE-2019-8356

NameCVE-2019-8356
DescriptionAn issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1808-1
Debian Bugs927906

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sox (PTS)bullseye (security), bullseye14.4.2+git20190427-2+deb11u2fixed
bookworm14.4.2+git20190427-3.5fixed
sid, trixie14.4.2+git20190427-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
soxsourcejessie14.4.1-5+deb8u4DLA-1808-1
soxsourcestretch14.4.1-5+deb9u2
soxsource(unstable)14.4.2+git20190427-1927906

Notes

https://sourceforge.net/p/sox/bugs/321
https://sourceforge.net/p/sox/code/ci/b7883ae1398499daaa926ae6621f088f0f531ed8/
Search for package or bug name: Reporting problems