Bug 631379 - VUL-1: libsndfile: divide-by-zero
VUL-1: libsndfile: divide-by-zero
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:11.3:42258 maint:relea...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-16 07:40 UTC by Thomas Biege
Modified: 2016-04-15 12:58 UTC (History)
1 user (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2010-08-16 07:40:28 UTC
Hi.
There is a security bug in package 'libsndfile'.

This bug is public.

There is no coordinated release date (CRD) set.

CVE number: CVE-2009-4835
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4835

Original posting:


----------  Weitergeleitete Nachricht  ----------

Betreff: [Full-disclosure] [ MDVSA-2010:150 ] libsndfile
Datum: Samstag, 14. August 2010, 19:28:01
Von: security@mandriva.com
An:  full-disclosure@lists.grok.org.uk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:150
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : libsndfile
 Date    : August 14, 2010
 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
           Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been discovered and corrected in libsndfile:
 
 The (1) htk_read_header, (2) alaw_init, (3) ulaw_init, (4) pcm_init,
 (5) float32_init, and (6) sds_read_header functions in libsndfile
 1.0.20 allow context-dependent attackers to cause a denial of service
 (divide-by-zero error and application crash) via a crafted audio file
 (CVE-2009-4835).
 
 Packages for 2008.0 and 2009.0 are provided as of the Extended
 Maintenance Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4835
 _______________________________________________________________________
..
Comment 6 Swamp Workflow Management 2011-07-18 13:21:18 UTC
The SWAMPID for this issue is 42235.
This issue was rated as moderate.
Please submit fixed packages until 2011-08-01.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 7 Bernhard Wiedemann 2011-07-18 16:00:19 UTC
This is an autogenerated message for OBS integration:
This bug (631379) was mentioned in
https://build.opensuse.org/request/show/76432 11.3 / libsndfile
Comment 8 Swamp Workflow Management 2011-07-29 12:25:10 UTC
Update released for: libsndfile, libsndfile-debuginfo, libsndfile-debugsource, libsndfile-devel
Products:
openSUSE 11.3 (debug, i586, x86_64)
Comment 9 Thomas Biege 2011-07-29 12:30:23 UTC
released
Comment 10 Swamp Workflow Management 2011-07-29 15:03:14 UTC
Update released for: libsndfile, libsndfile-32bit, libsndfile-debuginfo, libsndfile-debuginfo-32bit, libsndfile-debuginfo-x86, libsndfile-debugsource, libsndfile-devel, libsndfile-octave, libsndfile-progs, libsndfile-progs-debuginfo, libsndfile-progs-debugsource, libsndfile-x86
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 11 Swamp Workflow Management 2011-07-29 15:19:31 UTC
Update released for: libsndfile, libsndfile-32bit, libsndfile-64bit, libsndfile-debuginfo, libsndfile-devel, libsndfile-octave, libsndfile-progs, libsndfile-x86
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 12 Bernhard Wiedemann 2016-04-15 12:58:45 UTC
This is an autogenerated message for OBS integration:
This bug (631379) was mentioned in
https://build.opensuse.org/request/show/78424 Evergreen:11.2 / libsndfile