Alpine: multiple sox packages: security update to 14.4.2-r3

medium Tenable Cloud Security Plugin ID 407173

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of
multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is
smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
(CVE-2019-8355)

- An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that
it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
(CVE-2019-8356)

- An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
(CVE-2019-8357)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-8355

https://security.alpinelinux.org/vuln/CVE-2019-8356

https://security.alpinelinux.org/vuln/CVE-2019-8357

Plugin Details

Severity: Medium

ID: 407173

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.66

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2019-8357

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/15/2019

Reference Information

CVE: CVE-2019-8355, CVE-2019-8356, CVE-2019-8357