#2014-010 SoX input sanitization errors

Description:

The SoX project is an open source tool for sound processing.

The sox command line tool is affected by two heap-based buffer overflows,
respectively located in functions start_read() and AdpcmReadBlock().

A specially crafted wav file can be used to trigger the vulnerabilities.

Affected version:

SoX <= 14.4.1

Fixed version:

SoX > 14.4.1

Credit: vulnerability report received from the Google Security Team.

CVE: CVE-2014-8145

Timeline:

2014-11-20: vulnerability report received
2014-12-02: contacted maintainer
2014-12-13: patch provided by maintainer
2014-12-14: reporter confirms patch
2014-12-15: contacted affected vendors
2014-12-18: assigned CVE
2014-12-22: advisory release

References:
http://sox.sourceforge.net

Permalink:
http://www.ocert.org/advisories/ocert-2014-010.html

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | OSS Computer Security Incident Response Team

<lcars@ocert.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"