Security update for libsndfile SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:2615-1 Final 1 1 2021-08-05T08:19:53Z current 2021-08-05T08:19:53Z 2021-08-05T08:19:53Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libsndfile This update for libsndfile fixes the following issues: - CVE-2018-13139: Fixed a stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. (bsc#1100167) - CVE-2018-19432: Fixed a NULL pointer dereference in the function sf_write_int in sndfile.c, which will lead to a denial of service. (bsc#1116993) - CVE-2021-3246: Fixed a heap buffer overflow vulnerability in msadpcm_decode_block. (bsc#1188540) - CVE-2018-19758: Fixed a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. (bsc#1117954) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-2615,SUSE-OpenStack-Cloud-8-2021-2615,SUSE-OpenStack-Cloud-9-2021-2615,SUSE-OpenStack-Cloud-Crowbar-9-2021-2615,SUSE-SLE-SAP-12-SP3-2021-2615,SUSE-SLE-SAP-12-SP4-2021-2615,SUSE-SLE-SDK-12-SP5-2021-2615,SUSE-SLE-SERVER-12-SP2-BCL-2021-2615,SUSE-SLE-SERVER-12-SP3-2021-2615,SUSE-SLE-SERVER-12-SP3-BCL-2021-2615,SUSE-SLE-SERVER-12-SP4-LTSS-2021-2615,SUSE-SLE-SERVER-12-SP5-2021-2615 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20212615-1/ Link for SUSE-SU-2021:2615-1 https://lists.suse.com/pipermail/sle-security-updates/2021-August/009252.html E-Mail link for SUSE-SU-2021:2615-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1100167 SUSE Bug 1100167 https://bugzilla.suse.com/1116993 SUSE Bug 1116993 https://bugzilla.suse.com/1117954 SUSE Bug 1117954 https://bugzilla.suse.com/1188540 SUSE Bug 1188540 https://www.suse.com/security/cve/CVE-2018-13139/ SUSE CVE CVE-2018-13139 page https://www.suse.com/security/cve/CVE-2018-19432/ SUSE CVE CVE-2018-19432 page https://www.suse.com/security/cve/CVE-2018-19758/ SUSE CVE CVE-2018-19758 page https://www.suse.com/security/cve/CVE-2021-3246/ SUSE CVE CVE-2021-3246 page SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP3-BCL SUSE Linux Enterprise Server 12 SP3-LTSS SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 libsndfile-devel-1.0.25-36.23.1 libsndfile-progs-1.0.25-36.23.1 libsndfile1-1.0.25-36.23.1 libsndfile1-32bit-1.0.25-36.23.1 libsndfile1-64bit-1.0.25-36.23.1 libsndfile1-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libsndfile1-32bit-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libsndfile1-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server 12 SP3-BCL libsndfile1-32bit-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server 12 SP3-BCL libsndfile1-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server 12 SP3-LTSS libsndfile1-32bit-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server 12 SP3-LTSS libsndfile1-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS libsndfile1-32bit-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS libsndfile1-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server 12 SP5 libsndfile1-32bit-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server 12 SP5 libsndfile1-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 libsndfile1-32bit-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 libsndfile1-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 libsndfile1-32bit-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 libsndfile1-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 libsndfile1-32bit-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 libsndfile-devel-1.0.25-36.23.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 libsndfile1-1.0.25-36.23.1 as a component of SUSE OpenStack Cloud 8 libsndfile1-32bit-1.0.25-36.23.1 as a component of SUSE OpenStack Cloud 8 libsndfile1-1.0.25-36.23.1 as a component of SUSE OpenStack Cloud 9 libsndfile1-32bit-1.0.25-36.23.1 as a component of SUSE OpenStack Cloud 9 libsndfile1-1.0.25-36.23.1 as a component of SUSE OpenStack Cloud Crowbar 9 libsndfile1-32bit-1.0.25-36.23.1 as a component of SUSE OpenStack Cloud Crowbar 9 A stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file. The vulnerability can be triggered by the executable sndfile-deinterleave. CVE-2018-13139 SUSE Linux Enterprise Server 12 SP2-BCL:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP2-BCL:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-BCL:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-BCL:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-LTSS:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-LTSS:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP5:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP5:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libsndfile-devel-1.0.25-36.23.1 SUSE OpenStack Cloud 8:libsndfile1-1.0.25-36.23.1 SUSE OpenStack Cloud 8:libsndfile1-32bit-1.0.25-36.23.1 SUSE OpenStack Cloud 9:libsndfile1-1.0.25-36.23.1 SUSE OpenStack Cloud 9:libsndfile1-32bit-1.0.25-36.23.1 SUSE OpenStack Cloud Crowbar 9:libsndfile1-1.0.25-36.23.1 SUSE OpenStack Cloud Crowbar 9:libsndfile1-32bit-1.0.25-36.23.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212615-1/ https://www.suse.com/security/cve/CVE-2018-13139.html CVE-2018-13139 https://bugzilla.suse.com/1100167 SUSE Bug 1100167 https://bugzilla.suse.com/1116993 SUSE Bug 1116993 https://bugzilla.suse.com/1211493 SUSE Bug 1211493 An issue was discovered in libsndfile 1.0.28. There is a NULL pointer dereference in the function sf_write_int in sndfile.c, which will lead to a denial of service. CVE-2018-19432 SUSE Linux Enterprise Server 12 SP2-BCL:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP2-BCL:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-BCL:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-BCL:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-LTSS:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-LTSS:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP5:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP5:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libsndfile-devel-1.0.25-36.23.1 SUSE OpenStack Cloud 8:libsndfile1-1.0.25-36.23.1 SUSE OpenStack Cloud 8:libsndfile1-32bit-1.0.25-36.23.1 SUSE OpenStack Cloud 9:libsndfile1-1.0.25-36.23.1 SUSE OpenStack Cloud 9:libsndfile1-32bit-1.0.25-36.23.1 SUSE OpenStack Cloud Crowbar 9:libsndfile1-1.0.25-36.23.1 SUSE OpenStack Cloud Crowbar 9:libsndfile1-32bit-1.0.25-36.23.1 critical 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212615-1/ https://www.suse.com/security/cve/CVE-2018-19432.html CVE-2018-19432 https://bugzilla.suse.com/1116993 SUSE Bug 1116993 There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. CVE-2018-19758 SUSE Linux Enterprise Server 12 SP2-BCL:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP2-BCL:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-BCL:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-BCL:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-LTSS:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-LTSS:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP5:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP5:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libsndfile-devel-1.0.25-36.23.1 SUSE OpenStack Cloud 8:libsndfile1-1.0.25-36.23.1 SUSE OpenStack Cloud 8:libsndfile1-32bit-1.0.25-36.23.1 SUSE OpenStack Cloud 9:libsndfile1-1.0.25-36.23.1 SUSE OpenStack Cloud 9:libsndfile1-32bit-1.0.25-36.23.1 SUSE OpenStack Cloud Crowbar 9:libsndfile1-1.0.25-36.23.1 SUSE OpenStack Cloud Crowbar 9:libsndfile1-32bit-1.0.25-36.23.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212615-1/ https://www.suse.com/security/cve/CVE-2018-19758.html CVE-2018-19758 https://bugzilla.suse.com/1117954 SUSE Bug 1117954 https://bugzilla.suse.com/1125575 SUSE Bug 1125575 A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file. CVE-2021-3246 SUSE Linux Enterprise Server 12 SP2-BCL:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP2-BCL:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-BCL:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-BCL:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-LTSS:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP3-LTSS:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP5:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server 12 SP5:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libsndfile1-1.0.25-36.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libsndfile1-32bit-1.0.25-36.23.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libsndfile-devel-1.0.25-36.23.1 SUSE OpenStack Cloud 8:libsndfile1-1.0.25-36.23.1 SUSE OpenStack Cloud 8:libsndfile1-32bit-1.0.25-36.23.1 SUSE OpenStack Cloud 9:libsndfile1-1.0.25-36.23.1 SUSE OpenStack Cloud 9:libsndfile1-32bit-1.0.25-36.23.1 SUSE OpenStack Cloud Crowbar 9:libsndfile1-1.0.25-36.23.1 SUSE OpenStack Cloud Crowbar 9:libsndfile1-32bit-1.0.25-36.23.1 critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212615-1/ https://www.suse.com/security/cve/CVE-2021-3246.html CVE-2021-3246 https://bugzilla.suse.com/1188540 SUSE Bug 1188540