Sign-up

ID

VAR-201907-0408


CVE

CVE-2019-13351


TITLE

JACK2 and alsa Plug-in double release vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-006198

DESCRIPTION

posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as distributed with alsa-plugins 1.1.7 and later) has a "double file descriptor close" issue during a failed connection attempt when jackd2 is not running. Exploitation success depends on multithreaded timing of that double close, which can result in unintended information disclosure, crashes, or file corruption due to having the wrong file associated with the file descriptor. JACK2 and alsa The plug-in contains a double release vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. JACK2 is a low latency audio server. There is a security vulnerability in libjack's posix/JackSocket.cpp file from JACK 21.9.1 to 1.9.12. An attacker could exploit the vulnerability to disclose information, cause damage to the file, or cause other hazards. ========================================================================== Ubuntu Security Notice USN-5656-1 October 04, 2022 jackd2 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: JACK could cause a crash in certain conditions. Software Description: - jackd2: JACK Audio Connection Kit (server and example clients) Details: Joseph Yasi discovered that JACK incorrectly handled the closing of a socket in certain conditions. An attacker could potentially use this issue to cause a crash. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: jackd2 1.9.10+20150825git1ed50c92~dfsg-1ubuntu1+esm1 jackd2-firewire 1.9.10+20150825git1ed50c92~dfsg-1ubuntu1+esm1 libjack-jackd2-0 1.9.10+20150825git1ed50c92~dfsg-1ubuntu1+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5656-1 CVE-2019-13351

Trust: 2.25

sources: NVD: CVE-2019-13351 // JVNDB: JVNDB-2019-006198 // CNVD: CNVD-2019-22207 // PACKETSTORM: 168632

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-22207

AFFECTED PRODUCTS

vendor:jackaudiomodel:jack2scope:lteversion:1.9.12

Trust: 1.0

vendor:alsamodel:alsascope:lteversion:1.1.7

Trust: 1.0

vendor:jackaudiomodel:jack2scope:gteversion:1.9.1

Trust: 1.0

vendor:alsamodel:alsascope: - version: -

Trust: 0.8

vendor:jackaudiomodel:jack2scope:eqversion:1.9.12 for up to 1.9.1

Trust: 0.8

vendor:jack2model:jack2scope:gteversion:1.9.1,<=1.9.12

Trust: 0.6

sources: CNVD: CNVD-2019-22207 // JVNDB: JVNDB-2019-006198 // NVD: CVE-2019-13351

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-13351
value: HIGH

Trust: 1.0

NVD: CVE-2019-13351
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-22207
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201907-326
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-13351
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-22207
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-13351
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2019-22207 // JVNDB: JVNDB-2019-006198 // CNNVD: CNNVD-201907-326 // NVD: CVE-2019-13351

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-415

Trust: 0.8

sources: JVNDB: JVNDB-2019-006198 // NVD: CVE-2019-13351

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-326

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201907-326

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-006198

PATCH
title:ALSA pluginsurl:https://alsa.opensrc.org/ALSA_plugins
Trust: 0.8
title:Set fSocket to -1 after close on an error to prevent a double close. #480url:https://github.com/jackaudio/jack2/pull/480
Trust: 0.8
title:JACK2 Information Disclosure Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/168481
Trust: 0.6
title:JACK2 Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=94475
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-22207 // 
            
            
            
            JVNDB: JVNDB-2019-006198 // 
            
            
            
            CNNVD: CNNVD-201907-326

EXTERNAL IDS
db:NVDid:CVE-2019-13351
Trust: 3.1
db:JVNDBid:JVNDB-2019-006198
Trust: 0.8
db:PACKETSTORMid:168632
Trust: 0.7
db:CNVDid:CNVD-2019-22207
Trust: 0.6
db:CNNVDid:CNNVD-201907-326
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-22207 // 
            
            
            
            JVNDB: JVNDB-2019-006198 // 
            
            
            
            PACKETSTORM: 168632 // 
            
            
            
            CNNVD: CNNVD-201907-326 // 
            
            
            
            NVD: CVE-2019-13351

REFERENCES
url:https://github.com/xbmc/xbmc/issues/16258
Trust: 2.2
url:https://github.com/jackaudio/jack2/pull/480
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2019-13351
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13351
Trust: 0.8
url:https://packetstormsecurity.com/files/168632/ubuntu-security-notice-usn-5656-1.html
Trust: 0.6
url:https://vigilance.fr/vulnerability/jack2-file-reading-via-double-file-descriptor-close-39460
Trust: 0.6
url:https://ubuntu.com/security/notices/usn-5656-1
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-22207 // 
            
            
            
            JVNDB: JVNDB-2019-006198 // 
            
            
            
            PACKETSTORM: 168632 // 
            
            
            
            CNNVD: CNNVD-201907-326 // 
            
            
            
            NVD: CVE-2019-13351

CREDITS
Ubuntu
Trust: 0.1
sources:
            
            
            PACKETSTORM: 168632

SOURCES
db:CNVDid:CNVD-2019-22207
db:JVNDBid:JVNDB-2019-006198
db:PACKETSTORMid:168632
db:CNNVDid:CNNVD-201907-326
db:NVDid:CVE-2019-13351

LAST UPDATE DATE
2024-11-23T21:59:50.226000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-22207date:2019-07-12T00:00:00
db:JVNDBid:JVNDB-2019-006198date:2019-07-12T00:00:00
db:CNNVDid:CNNVD-201907-326date:2022-10-08T00:00:00
db:NVDid:CVE-2019-13351date:2024-11-21T04:24:46.307

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-22207date:2019-07-12T00:00:00
db:JVNDBid:JVNDB-2019-006198date:2019-07-12T00:00:00
db:PACKETSTORMid:168632date:2022-10-05T14:27:48
db:CNNVDid:CNNVD-201907-326date:2019-07-05T00:00:00
db:NVDid:CVE-2019-13351date:2019-07-05T20:15:14.200