CVE Vulnerabilities

CVE-2019-13351

Published: Jul 05, 2019 | Modified: Aug 24, 2020
CVSS 3.x
8.1
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
LOW

posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as distributed with alsa-plugins 1.1.7 and later) has a double file descriptor close issue during a failed connection attempt when jackd2 is not running. Exploitation success depends on multithreaded timing of that double close, which can result in unintended information disclosure, crashes, or file corruption due to having the wrong file associated with the file descriptor.

Affected Software

Name Vendor Start Version End Version
Jack2 Jackaudio 1.9.1 (including) 1.9.12 (including)
Jackd2 Ubuntu bionic *
Jackd2 Ubuntu cosmic *
Jackd2 Ubuntu devel *
Jackd2 Ubuntu disco *
Jackd2 Ubuntu eoan *
Jackd2 Ubuntu esm-infra/bionic *
Jackd2 Ubuntu esm-infra/xenial *
Jackd2 Ubuntu focal *
Jackd2 Ubuntu groovy *
Jackd2 Ubuntu hirsute *
Jackd2 Ubuntu impish *
Jackd2 Ubuntu jammy *
Jackd2 Ubuntu kinetic *
Jackd2 Ubuntu lunar *
Jackd2 Ubuntu mantic *
Jackd2 Ubuntu noble *
Jackd2 Ubuntu oracular *
Jackd2 Ubuntu trusty *
Jackd2 Ubuntu xenial *

References