Bug#914641: faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504
Salvatore Bonaccorso
carnil at debian.org
Sat Jan 26 09:59:42 GMT 2019
Control: retitle -1 faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2019-6956
On Sun, Nov 25, 2018 at 09:47:22PM +0100, Salvatore Bonaccorso wrote:
> Source: faad2
> Version: 2.8.8-1
> Severity: important
> Tags: security upstream
> Forwarded: https://sourceforge.net/p/faac/bugs/240/
>
> Hi,
>
> The following vulnerabilities were published for faad2.
>
> CVE-2018-19502[0]:
> | An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2)
> | 2.8.1. There was a heap-based buffer overflow in the function
> | excluded_channels() in libfaad/syntax.c.
>
> CVE-2018-19503[1]:
> | An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2)
> | 2.8.1. There was a stack-based buffer overflow in the function
> | calculate_gain() in libfaad/sbr_hfadj.c.
>
> CVE-2018-19504[2]:
> | An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2)
> | 2.8.1. There is a NULL pointer dereference in ifilter_bank() in
> | libfaad/filtbank.c.
One more issue was reported (unfortunately in the same upstream bug,
so add it to the list here as well) in
https://sourceforge.net/p/faac/bugs/240/ which later on was assigned
CVE-2019-6956.
CVE-2109-6956 relates to the issue in
https://github.com/TeamSeri0us/pocs/blob/master/faad/global-buffer-overflow%40ps_mix_phase.md
Regards,
Salvatore
More information about the pkg-multimedia-maintainers
mailing list