openSUSE Security Update: Security update for audiofile ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:1038-1 Rating: low References: #1026978 #1026979 #1026980 #1026981 #1026982 #1026983 #1026984 #1026985 #1026986 #1026987 #1026988 Cross-References: CVE-2017-6827 CVE-2017-6828 CVE-2017-6829 CVE-2017-6830 CVE-2017-6831 CVE-2017-6832 CVE-2017-6833 CVE-2017-6834 CVE-2017-6835 CVE-2017-6836 CVE-2017-6837 CVE-2017-6838 CVE-2017-6839 Affected Products: openSUSE Leap 42.2 openSUSE Leap 42.1 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This audiofile update fixes the following issue: Security issues fixed: - CVE-2017-6827: heap-based buffer overflow in MSADPCM::initializeCoefficients (MSADPCM.cpp) (bsc#1026979) - CVE-2017-6828: heap-based buffer overflow in readValue (FileHandle.cpp) (bsc#1026980) - CVE-2017-6829: global buffer overflow in decodeSample (IMA.cpp) (bsc#1026981) - CVE-2017-6830: heap-based buffer overflow in alaw2linear_buf (G711.cpp) (bsc#1026982) - CVE-2017-6831: heap-based buffer overflow in IMA::decodeBlockWAVE (IMA.cpp) (bsc#1026983) - CVE-2017-6832: heap-based buffer overflow in MSADPCM::decodeBlock (MSADPCM.cpp) (bsc#1026984) - CVE-2017-6833: divide-by-zero in BlockCodec::runPull (BlockCodec.cpp) (bsc#1026985) - CVE-2017-6834: heap-based buffer overflow in ulaw2linear_buf (G711.cpp) (bsc#1026986) - CVE-2017-6835: divide-by-zero in BlockCodec::reset1 (BlockCodec.cpp) (bsc#1026988) - CVE-2017-6836: heap-based buffer overflow in Expand3To4Module::run (SimpleModule.h) (bsc#1026987) - CVE-2017-6837, CVE-2017-6838, CVE-2017-6839: multiple ubsan crashes (bsc#1026978) This update was imported from the SUSE:SLE-12:Update update project. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-476=1 - openSUSE Leap 42.1: zypper in -t patch openSUSE-2017-476=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (i586 x86_64): audiofile-0.3.6-10.3.1 audiofile-debuginfo-0.3.6-10.3.1 audiofile-debugsource-0.3.6-10.3.1 audiofile-devel-0.3.6-10.3.1 audiofile-doc-0.3.6-10.3.1 libaudiofile1-0.3.6-10.3.1 libaudiofile1-debuginfo-0.3.6-10.3.1 - openSUSE Leap 42.2 (x86_64): audiofile-devel-32bit-0.3.6-10.3.1 libaudiofile1-32bit-0.3.6-10.3.1 libaudiofile1-debuginfo-32bit-0.3.6-10.3.1 - openSUSE Leap 42.1 (i586 x86_64): audiofile-0.3.6-12.1 audiofile-debuginfo-0.3.6-12.1 audiofile-debugsource-0.3.6-12.1 audiofile-devel-0.3.6-12.1 audiofile-doc-0.3.6-12.1 libaudiofile1-0.3.6-12.1 libaudiofile1-debuginfo-0.3.6-12.1 - openSUSE Leap 42.1 (x86_64): audiofile-devel-32bit-0.3.6-12.1 libaudiofile1-32bit-0.3.6-12.1 libaudiofile1-debuginfo-32bit-0.3.6-12.1 References: https://www.suse.com/security/cve/CVE-2017-6827.html https://www.suse.com/security/cve/CVE-2017-6828.html https://www.suse.com/security/cve/CVE-2017-6829.html https://www.suse.com/security/cve/CVE-2017-6830.html https://www.suse.com/security/cve/CVE-2017-6831.html https://www.suse.com/security/cve/CVE-2017-6832.html https://www.suse.com/security/cve/CVE-2017-6833.html https://www.suse.com/security/cve/CVE-2017-6834.html https://www.suse.com/security/cve/CVE-2017-6835.html https://www.suse.com/security/cve/CVE-2017-6836.html https://www.suse.com/security/cve/CVE-2017-6837.html https://www.suse.com/security/cve/CVE-2017-6838.html https://www.suse.com/security/cve/CVE-2017-6839.html https://bugzilla.suse.com/1026978 https://bugzilla.suse.com/1026979 https://bugzilla.suse.com/1026980 https://bugzilla.suse.com/1026981 https://bugzilla.suse.com/1026982 https://bugzilla.suse.com/1026983 https://bugzilla.suse.com/1026984 https://bugzilla.suse.com/1026985 https://bugzilla.suse.com/1026986 https://bugzilla.suse.com/1026987 https://bugzilla.suse.com/1026988