PT-2018-15485 · Claxon · Claxon

Published

2018-08-25

Updated

2021-08-25

CVE-2018-20992

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Claxon versions prior to 0.4.1

Description An issue in Claxon allows uninitialized memory to be exposed due to mishandled decode buffer sizes. The affected versions made an invalid assumption about the decode buffer size being a multiple of a value read from the bitstream, potentially causing parts of the decode buffer to not be overwritten. If the decode buffer was newly allocated and uninitialized, this uninitialized memory could be exposed, allowing an attacker to observe parts of it in the decoded audio stream.

Recommendations For versions prior to 0.4.1, update to version 0.4.1 or later, which includes a correction to check that the value read from the bitstream divides the decode buffer size and returns a format error if it does not, preventing the exposure of the decode buffer.

Fix

Use of Uninitialized Resource

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-908

Related Identifiers

CVE-2018-20992

GHSA-8C6G-4XC5-W96C

RUSTSEC-2018-0004

Affected Products

Claxon

PT-2018-15485 · Claxon · Claxon

CVE-2018-20992

Weakness Enumeration

Related Identifiers

Affected Products

References · 10