CVE-2017-7697

NameCVE-2017-7697
DescriptionIn libsamplerate before 0.1.9, a buffer over-read occurs in the calc_output_single function in src_sinc.c via a crafted audio file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2845-1, ELA-527-1
Debian Bugs860159

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libsamplerate (PTS)jessie, jessie (lts)0.1.8-8+deb8u1fixed
stretch (security), stretch (lts), stretch0.1.8-8+deb9u1fixed
buster0.1.9-2fixed
bullseye0.2.1+ds0-1fixed
bookworm0.2.2-3fixed
sid, trixie0.2.2-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libsampleratesourcejessie0.1.8-8+deb8u1ELA-527-1
libsampleratesourcestretch0.1.8-8+deb9u1DLA-2845-1
libsampleratesource(unstable)0.1.9-1860159

Notes

[jessie] - libsamplerate <no-dsa> (Minor issue)
[wheezy] - libsamplerate <no-dsa> (Minor issue)
https://github.com/erikd/libsamplerate/issues/11
https://blogs.gentoo.org/ago/2017/04/11/libsamplerate-global-buffer-overflow-in-calc_output_single-src_sinc-c/
Fixed by: https://github.com/erikd/libsamplerate/commit/c3b66186656de44da18b7058aec099dbe782dd0b
Search for package or bug name: Reporting problems