A floating point exception vulnerability was found in sox, in the read_samples function at sox/src/voc.c:334:18. This flaw can lead to a denial of service.
Weakness
The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Sound_exchange | Sound_exchange_project | 14.4.3 (including) | 14.4.3 (including) |
| Sox | Ubuntu | bionic | * |
| Sox | Ubuntu | esm-apps/bionic | * |
| Sox | Ubuntu | esm-apps/focal | * |
| Sox | Ubuntu | esm-apps/jammy | * |
| Sox | Ubuntu | esm-apps/noble | * |
| Sox | Ubuntu | esm-apps/xenial | * |
| Sox | Ubuntu | esm-infra-legacy/trusty | * |
| Sox | Ubuntu | focal | * |
| Sox | Ubuntu | jammy | * |
| Sox | Ubuntu | kinetic | * |
| Sox | Ubuntu | lunar | * |
| Sox | Ubuntu | mantic | * |
| Sox | Ubuntu | noble | * |
| Sox | Ubuntu | trusty | * |
| Sox | Ubuntu | trusty/esm | * |
| Sox | Ubuntu | upstream | * |
| Sox | Ubuntu | xenial | * |
Extended Description
Numeric calculation using floating point values can generate imprecise results because of rounding errors. As a result, two different calculations might generate numbers that are mathematically equal, but have slightly different bit representations that do not translate to the same mathematically-equal values. As a result, an equality test or other comparison might produce unexpected results.
References
- https://access.redhat.com/security/cve/CVE-2023-32627
- https://bugzilla.redhat.com/show_bug.cgi?id=2212282
- https://lists.debian.org/debian-lts-announce/2023/08/msg00015.html
- https://access.redhat.com/security/cve/CVE-2023-32627
- https://bugzilla.redhat.com/show_bug.cgi?id=2212282
- https://lists.debian.org/debian-lts-announce/2023/08/msg00015.html