Bug 1137822 – VUL-0: CVE-2018-19801: aubio: NULL pointer dereference

Bug 1137822 - (CVE-2018-19801) VUL-0: CVE-2018-19801: aubio: NULL pointer dereference

(CVE-2018-19801)
Summary:	VUL-0: CVE-2018-19801: aubio: NULL pointer dereference

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Other
Version:	Leap 15.1
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/234586/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-06-11 07:34 UTC by Alexander Bergmann
Modified:	2019-07-03 08:27 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2019-06-11 07:34:28 UTC

CVE-2018-19801

aubio v0.4.0 to v0.4.8 has a NULL pointer dereference (issue 1 of 6).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19801
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19801.html
http://www.cvedetails.com/cve/CVE-2018-19801/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19801
https://github.com/aubio/aubio/blob/0.4.9/ChangeLog

Comment 1 Takashi Iwai 2019-06-12 14:11:24 UTC

Zero information about the actual matter and the corresponding fix, and the git commits of aubio are horrible, zero comments.

I can only wild-guess this corresponding to the commit eda95c9c22b4f0b466ae94c4708765eaae6e709e
    [filterbank] validate input parameters

Comment 2 Takashi Iwai 2019-06-12 14:43:08 UTC

The fix is submitted to Leap 42.3, Leap 15.0 and Leap 15.1.
Reassigned back to security team.

Comment 3 Swamp Workflow Management 2019-06-12 15:50:32 UTC

This is an autogenerated message for OBS integration:
This bug (1137822) was mentioned in
https://build.opensuse.org/request/show/709475 15.0 / aubio
https://build.opensuse.org/request/show/709476 15.1 / aubio
https://build.opensuse.org/request/show/709513 42.3 / aubio

Comment 4 Swamp Workflow Management 2019-06-24 19:11:18 UTC

openSUSE-SU-2019:1618-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1137822,1137823,1137828
CVE References: CVE-2018-19800,CVE-2018-19801,CVE-2018-19802
Sources used:
openSUSE Leap 42.3 (src):    aubio-0.4.1-9.13.1
openSUSE Leap 15.1 (src):    aubio-0.4.6-lp151.6.3.1, python-aubio-0.4.6-lp151.6.3.1
openSUSE Leap 15.0 (src):    aubio-0.4.6-lp150.3.10.1, python-aubio-0.4.6-lp150.3.10.1

Comment 5 Swamp Workflow Management 2019-06-25 13:12:05 UTC

openSUSE-SU-2019:1624-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1137822,1137823,1137828
CVE References: CVE-2018-19800,CVE-2018-19801,CVE-2018-19802
Sources used:
openSUSE Backports SLE-15 (src):    aubio-0.4.6-bp150.3.12.1, python-aubio-0.4.6-bp150.3.12.1

Comment 6 Marcus Meissner 2019-07-03 08:27:35 UTC

released