安全公告详情

NS-SA-2021-0046

2021-03-09 14:13:24

简介

critical: thunderbird/audiofile security update

严重级别

critical

主题

An update for thunderbird/audiofile is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

thunderbird: Mozilla Thunderbird is a standalone mail and newsgroup client.
audiofile: The audiofile-devel package contains libraries, include files, and other resources you can use to develop Audio File applications.


Security Fix(es):
thunderbird: Use after free in WebRTC in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted SCTP packet.(CVE-2020-16044)
thunderbird: bugfix
audiofile: The audiofile Audio File Library 0.3.6 has a NULL pointer dereference bug in ModuleState::setup in modules/ModuleState.cpp, which allows an attacker to cause a denial of service via a crafted caf file, as demonstrated by sfconvert.(CVE-2018-13440)
audiofile: An issue has been discovered in mpruett Audio File Library (aka audiofile) 0.3.6, 0.3.5, 0.3.4, 0.3.3, 0.3.2, 0.3.1, 0.3.0. A heap-based buffer overflow in Expand3To4Module::run has occurred when running sfconvert.(CVE-2018-17095)
audiofile: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F30B3.

影响组件

  • thunderbird
  • audiofile

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["thunderbird-78.6.1-1.el7.centos.x86_64.rpm"],"source":"thunderbird-78.6.1-1.el7.centos.src.rpm"},{"binary":["audiofile-0.3.6-9.el7.x86_64.rpm","audiofile-devel-0.3.6-9.el7.x86_64.rpm"],"source":"audiofile-0.3.6-9.el7.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["thunderbird-78.6.1-1.el7.centos.x86_64.rpm"],"source":"thunderbird-78.6.1-1.el7.centos.src.rpm"},{"binary":["audiofile-devel-0.3.6-9.el7.x86_64.rpm","audiofile-0.3.6-9.el7.x86_64.rpm"],"source":"audiofile-0.3.6-9.el7.src.rpm"}]}]}

CVE

参考