SoX: User-assisted execution of arbitrary code — GLSA 201612-30

Multiple heap overflows in SoX may allow remote attackers to execute arbitrary code.

Affected packages

media-sound/sox on all architectures
Affected versions < 14.4.2
Unaffected versions >= 14.4.2

Background

SoX is a command line utility that can convert various formats of computer audio files in to other formats.

Description

A heap-based buffer overflow can be triggered when processing a malicious NIST Sphere or WAV audio file.

Impact

A remote attacker could coerce the victim to run SoX against their malicious file. This may be leveraged by an attacker to gain control of program execution with the privileges of the user.

Workaround

There is no known workaround at this time.

Resolution

All SoX users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-sound/sox-14.4.2"
 

References

Release date
December 11, 2016

Latest revision
December 11, 2016: 1

Severity
normal

Exploitable
remote

Bugzilla entries