Support Content Notification - Support Portal

USN-6558-1: audiofile vulnerabilities

Product/Component

Notification Id

24804

Last Updated

23 July 2024

Initial Publication Date

23 July 2024

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

WorkAround

Affected CVE

CVE-2018-13440;CVE-2018-17095;CVE-2019-13147;CVE-2022-24599

Severity

medium

Vendor

VMware Tanzu

Versions Affected

Canonical Ubuntu 22.04
Canonical Ubuntu 18.04

It was discovered that audiofile could be made to dereference invalid memory. If a user or an automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-13440) It was discovered that audiofile could be made to write out of bounds. If a user or an automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-17095) It was discovered that audiofile could be made to dereference invalid memory. If a user or an automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. (CVE-2019-13147) It was discovered that audiofile could be made to leak memory. If a user or an automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to obtain sensitive information. (CVE-2022-24599) Update Instructions: Run `sudo pro fix USN-6558-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: audiofile-tools - 0.3.6-2ubuntu0.16.04.1+esm1 libaudiofile-dev - 0.3.6-2ubuntu0.16.04.1+esm1 libaudiofile1 - 0.3.6-2ubuntu0.16.04.1+esm1 Available with Ubuntu Pro: https://ubuntu.com/pro.

Fixed and Unaffected VMware Products and Versions

Cflinuxfs3

0381.0 or greater

Cflinuxfs4

1.61.0 or greater

Cf Deployment

35.1.0 or greater

Isolation Segment

2.11.45 or greater
2.13.30 or greater
4.0.15+LTS-T or greater
6.0.x unaffected

VMware Tanzu Application Service for VMs

2.11.33 or greater
2.13.33 or greater
4.0.15+LTS-T or greater
6.0.x unaffected

References

https://ubuntu.com/security/notices/USN-6558-1

https://www.cloudfoundry.org/blog/usn-6558-1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6558-1

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24804

History

2023-12-14: Initial vulnerability report published.