Headline
CVE-2021-23210: SoX - Sound eXchange / Bugs
A floating point exception (divide-by-zero) issue was discovered in SoX in functon read_samples() of voc.c file. An attacker with a crafted file, could cause an application to crash.
#351 div zero in voc.c
Status: open
Owner: nobody
Labels: bug (6)
Priority: 5
Updated: 2021-04-20
Created: 2021-04-20
Creator: treebacker
Private: No
There is a div zero in voc.c:334, functon read_samples.
Which crashes.
The trigger command: ./src/.libs/sox bug3 -n noiseprof /dev/null
In AddressSanitizer:
In gdb:
The crafted file is attached.
1 Attachments
bug3
Discussion
Log in to post a comment.
Related news
Ubuntu Security Notice 5904-2 - USN-5904-1 fixed vulnerabilities in SoX. It was discovered that the fix for CVE-2021-33844 was incomplete. This update fixes the problem. Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS.
Ubuntu Security Notice 5904-1 - Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.
Debian Linux Security Advisory 5356-1 - Multiple security issues were discovered in Sox, the Swiss Army knife of sound processing programs, which could result in denial of service or potentially the execution of arbitrary code if a malformed audio file is processed.