[ASA-201803-24] bchunk: denial of service
Arch Linux Security Advisory ASA-201803-24 ========================================== Severity: Medium Date : 2018-03-25 CVE-ID : CVE-2017-15953 CVE-2017-15954 CVE-2017-15955 Package : bchunk Type : denial of service Remote : No Link : https://security.archlinux.org/AVG-475 Summary ======= The package bchunk before version 1.2.2-4 is vulnerable to denial of service. Resolution ========== Upgrade to 1.2.2-4. # pacman -Syu "bchunk>=1.2.2-4" The problems have been fixed upstream in version 1.2.2. Workaround ========== None. Description =========== - CVE-2017-15953 (denial of service) bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to a heap- based buffer overflow and crash when processing a malformed CUE (.cue) file. - CVE-2017-15954 (denial of service) bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to a heap- based buffer overflow (with a resultant invalid free) and crash when processing a malformed CUE (.cue) file. - CVE-2017-15955 (denial of service) bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to an "Access violation near NULL on destination operand" and crash when processing a malformed CUE (.cue) file. Impact ====== An attacker can cause a denial of service via a crafted CUE file. References ========== https://github.com/extramaster/bchunk/issues/2 https://github.com/extramaster/bchunk/issues/3 https://github.com/extramaster/bchunk/issues/4 https://security.archlinux.org/CVE-2017-15953 https://security.archlinux.org/CVE-2017-15954 https://security.archlinux.org/CVE-2017-15955
participants (1)
-
Remi Gacogne