Vulnerabilities > CVE-2017-18189 - NULL Pointer Dereference vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
sound-exchange-project
debian
CWE-476
nessus

Summary

In the startread function in xa.c in Sound eXchange (SoX) through 14.4.2, a corrupt header specifying zero channels triggers an infinite loop with a resultant NULL pointer dereference, which may allow a remote attacker to cause a denial-of-service.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1352.NASL
    descriptionA NULL pointer dereference flaw found in the way SoX handled processing of AIFF files. An attacker could potentially use this flaw to crash the SoX application by tricking it into processing crafted AIFF files.(CVE-2017-18189)
    last seen2020-06-01
    modified2020-06-02
    plugin id130604
    published2019-11-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130604
    titleAmazon Linux 2 : sox (ALAS-2019-1352)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux 2 Security Advisory ALAS-2019-1352.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130604);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/17");
    
      script_cve_id("CVE-2017-18189");
      script_xref(name:"ALAS", value:"2019-1352");
    
      script_name(english:"Amazon Linux 2 : sox (ALAS-2019-1352)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux 2 host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A NULL pointer dereference flaw found in the way SoX handled
    processing of AIFF files. An attacker could potentially use this flaw
    to crash the SoX application by tricking it into processing crafted
    AIFF files.(CVE-2017-18189)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/AL2/ALAS-2019-1352.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update sox' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:sox");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:sox-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:sox-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/11/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "2")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"AL2", reference:"sox-14.4.1-7.amzn2")) flag++;
    if (rpm_check(release:"AL2", reference:"sox-debuginfo-14.4.1-7.amzn2")) flag++;
    if (rpm_check(release:"AL2", reference:"sox-devel-14.4.1-7.amzn2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "sox / sox-debuginfo / sox-devel");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2283.NASL
    descriptionAn update for sox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. SoX (Sound eXchange) is a sound file format converter. SoX can convert between many different digitized sound formats and perform simple sound manipulation functions, including sound effects. Security Fix(es) : * sox: NULL pointer dereference in startread function in xa.c (CVE-2017-18189) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127705
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127705
    titleRHEL 7 : sox (RHSA-2019:2283)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1695.NASL
    descriptionMultiple vulnerabilities have been discovered in SoX (Sound eXchange), a sound processing program : CVE-2017-15370 The ImaAdpcmReadBlock function (src/wav.c) is affected by a heap buffer overflow. This vulnerability might be leveraged by remote attackers using a crafted WAV file to cause denial of service (application crash). CVE-2017-15372 The lsx_ms_adpcm_block_expand_i function (adpcm.c) is affected by a stack based buffer overflow. This vulnerability might be leveraged by remote attackers using a crafted audio file to cause denial of service (application crash). CVE-2017-15642 The lsx_aiffstartread function (aiff.c) is affected by a use-after-free vulnerability. This flaw might be leveraged by remote attackers using a crafted AIFF file to cause denial of service (application crash). CVE-2017-18189 The startread function (xa.c) is affected by a NULL pointer dereference vulnerability. This flaw might be leveraged by remote attackers using a crafted Maxis XA audio file to cause denial of service (application crash). For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id122512
    published2019-03-01
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122512
    titleDebian DLA-1695-1 : sox security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1084.NASL
    descriptionAccording to the versions of the sox package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - SoX (Sound eXchange) is a sound file format converter SoX can convert between many different digitized sound formats and perform simple sound manipulation functions, including sound effects. - Security fix(es): - A NULL pointer dereference flaw found in the way SoX handled processing of AIFF files. An attacker could potentially use this flaw to crash the SoX application by tricking it into processing crafted AIFF files.(CVE-2017-18189) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-05-02
    plugin id109482
    published2018-05-02
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109482
    titleEulerOS 2.0 SP2 : sox (EulerOS-SA-2018-1084)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190806_SOX_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - sox: NULL pointer dereference in startread function in xa.c (CVE-2017-18189)
    last seen2020-03-18
    modified2019-08-27
    plugin id128262
    published2019-08-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128262
    titleScientific Linux Security Update : sox on SL7.x x86_64 (20190806)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0203_SOX.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has sox packages installed that are affected by a vulnerability: - In the startread function in xa.c in Sound eXchange (SoX) through 14.4.2, a corrupt header specifying zero channels triggers an infinite loop with a resultant NULL pointer dereference, which may allow a remote attacker to cause a denial-of-service. (CVE-2017-18189) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id129909
    published2019-10-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129909
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : sox Vulnerability (NS-SA-2019-0203)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0251_SOX.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has sox packages installed that are affected by a vulnerability: - In the startread function in xa.c in Sound eXchange (SoX) through 14.4.2, a corrupt header specifying zero channels triggers an infinite loop with a resultant NULL pointer dereference, which may allow a remote attacker to cause a denial-of-service. (CVE-2017-18189) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id132452
    published2019-12-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132452
    titleNewStart CGSL CORE 5.05 / MAIN 5.05 : sox Vulnerability (NS-SA-2019-0251)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-1DFAA1963B.NASL
    descriptionFixes **CVE-2017-18189**. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133421
    published2020-02-03
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133421
    titleFedora 31 : sox (2020-1dfaa1963b)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1083.NASL
    descriptionAccording to the versions of the sox package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - SoX (Sound eXchange) is a sound file format converter SoX can convert between many different digitized sound formats and perform simple sound manipulation functions, including sound effects. - Security fix(es): - A NULL pointer dereference flaw found in the way SoX handled processing of AIFF files. An attacker could potentially use this flaw to crash the SoX application by tricking it into processing crafted AIFF files.(CVE-2017-18189) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-05-02
    plugin id109481
    published2018-05-02
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109481
    titleEulerOS 2.0 SP1 : sox (EulerOS-SA-2018-1083)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2283.NASL
    descriptionAn update for sox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. SoX (Sound eXchange) is a sound file format converter. SoX can convert between many different digitized sound formats and perform simple sound manipulation functions, including sound effects. Security Fix(es) : * sox: NULL pointer dereference in startread function in xa.c (CVE-2017-18189) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128383
    published2019-08-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128383
    titleCentOS 7 : sox (CESA-2019:2283)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-CB7B7181A0.NASL
    descriptionFixes **CVE-2017-18189**. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133583
    published2020-02-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133583
    titleFedora 30 : sox (2020-cb7b7181a0)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-185.NASL
    descriptionThis update for sox fixes the following issues : - CVE-2017-11332: Fixed the startread function in wav.c, which allowed remote attackers to cause a DoS (divide-by-zero) via a crafted wav file. (boo#1081140) - CVE-2017-11358: Fixed the read_samples function in hcom.c, which allowed remote attackers to cause a DoS (invalid memory read) via a crafted hcom file. (boo#1081141) - CVE-2017-11359: Fixed the wavwritehdr function in wav.c, which allowed remote attackers to cause a DoS (divide-by-zero) when converting a a crafted snd file to a wav file. (boo#1081142) - CVE-2017-15370: Fixed a heap-based buffer overflow in the ImaExpandS function of ima_rw.c, which allowed remote attackers to cause a DoS during conversion of a crafted audio file. (boo#1063439) - CVE-2017-15371: Fixed an assertion abort in the function sox_append_comment() in formats.c, which allowed remote attackers to cause a DoS during conversion of a crafted audio file. (boo#1063450) - CVE-2017-15372: Fixed a stack-based buffer overflow in the lsx_ms_adpcm_block_expand_i function of adpcm.c, which allowed remote attackers to cause a DoS during conversion of a crafted audio file. (boo#1063456) - CVE-2017-15642: Fixed an Use-After-Free vulnerability in lsx_aiffstartread in aiff.c, which could be triggered by an attacker by providing a malformed AIFF file. (boo#1064576) - CVE-2017-18189: Fixed a NULL pointer dereference triggered by a corrupt header specifying zero channels in the startread function in xa.c, which allowed remote attackers to cause a DoS (boo#1081146).
    last seen2020-06-05
    modified2018-02-21
    plugin id106917
    published2018-02-21
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106917
    titleopenSUSE Security Update : sox (openSUSE-2018-185)

Redhat

advisories
bugzilla
id1545866
titleCVE-2017-18189 sox: NULL pointer dereference in startread function in xa.c
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentsox is earlier than 0:14.4.1-7.el7
          ovaloval:com.redhat.rhsa:tst:20192283001
        • commentsox is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20192283002
      • AND
        • commentsox-devel is earlier than 0:14.4.1-7.el7
          ovaloval:com.redhat.rhsa:tst:20192283003
        • commentsox-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20192283004
rhsa
idRHSA-2019:2283
released2019-08-06
severityLow
titleRHSA-2019:2283: sox security update (Low)
rpms
  • sox-0:14.4.1-7.el7
  • sox-debuginfo-0:14.4.1-7.el7
  • sox-devel-0:14.4.1-7.el7