-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0290
                  USN-4704-1: libsndfile vulnerabilities
                              27 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libsndfile
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-3832 CVE-2018-19758 CVE-2018-19662
                   CVE-2018-19661 CVE-2018-19432 CVE-2018-13139
                   CVE-2017-16942 CVE-2017-14634 CVE-2017-14246
                   CVE-2017-14245 CVE-2017-12562 CVE-2017-6892

Reference:         ESB-2020.3743
                   ESB-2020.1498
                   ESB-2019.2063
                   ESB-2019.0011

Original Bulletin: 
   https://ubuntu.com/security/notices/USN-4704-1

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-4704-1: libsndfile vulnerabilities
26 January 2021

Several security issues were fixed in libsndfile.
Releases

  o Ubuntu 16.04 LTS
  o Ubuntu 14.04 ESM

Packages

  o libsndfile - Library for reading/writing audio files

Details

It was discovered that libsndfile incorrectly handled certain malformed
files. A remote attacker could use this issue to cause libsndfile to
crash, resulting in a denial of service, or possibly execute arbitrary
code. ( CVE-2017-12562 )

It was discovered that libsndfile incorrectly handled certain malformed
files. A remote attacker could use this issue to cause libsndfile to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.04 ESM. ( CVE-2017-14245 ,
CVE-2017-14246 , CVE-2017-14634 , CVE-2017-16942 , CVE-2017-6892 ,
CVE-2018-13139 , CVE-2018-19432 , CVE-2018-19661 , CVE-2018-19662 ,
CVE-2018-19758 , CVE-2019-3832 )

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 16.04

  o libsndfile1 - 1.0.25-10ubuntu0.16.04.3
  o sndfile-programs - 1.0.25-10ubuntu0.16.04.3

Ubuntu 14.04

  o libsndfile1 - 1.0.25-7ubuntu2.2+esm1
  o sndfile-programs - 1.0.25-7ubuntu2.2+esm1

After a standard system update you need to restart your session to make all
the necessary changes.

References

  o CVE-2017-12562
  o CVE-2018-19758
  o CVE-2018-19661
  o CVE-2017-16942
  o CVE-2017-6892
  o CVE-2018-19432
  o CVE-2018-19662
  o CVE-2017-14246
  o CVE-2017-14634
  o CVE-2019-3832
  o CVE-2018-13139
  o CVE-2017-14245

Related notices

  o USN-4013-1 : libsndfile1, libsndfile

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYBDG4+NLKJtyKPYoAQgW+w/+I2IiYocxrhruJo8qXGEs1L0TCAdtvgfK
SI6EffCS3uQPt9Jjtz5xOfMFkWzDeoZDP9asLoK5uRFK3EhrTqbiTiIn4LOQn6F6
M11GAEQ9zl1265vl3MNZS43GZFrmUQAp7JU33xlfWoY4qKUiPqPOCgB8QqQXwZ6n
fWOrFJ9rXTlC6nWYrmfH+1B6X0aDFip3avsHRXHCqeYrS3SHHrmvBFel0BeUUr5i
4N5wDMglCmEhYK8dr4VQrTmaXvzinYU38SkeLFKlKdRW7xvcVo6esqHa9Mz4e5eZ
cZiLIDdSrvbBWVbqIg8PvJ64Dno+593r1/dXyqfrmPwwo3Zq6SW3V8HoCNbCkfQQ
HZf6bqUdKosA5DXCF5knHtsv1S4eEAe0o88GojNLmnc6608LPfUnN8PVeIk6Y0B+
3iT4/FTsXh1F2rmCxU8qz3K5f0kf3533G82mK24JVciLzx6ywGOft4gB75RxPICF
JoPCtdAaAXjB09f2kOiYvxX0RbECg0sfvLFz5vKvc4FAQu1R102USkJ78LwkUK05
zTQZy3a5JsWsKtn90JWeN79KewqKRxHzFx2JfPPUqXPmDdwwfXR9y3SXXXEoBXeZ
OSLjGRSuhcCcjy4TXleOkXbLU8VhGSlcQqaRpM8/Qjvvfcnincd2g3+2yF5i2cGc
98hzZ735ULc=
=KACq
-----END PGP SIGNATURE-----