CVE-2019-13351

Published: Jul 5, 2019Modified: Nov 21, 2024

8.1

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as distributed with alsa-plugins 1.1.7 and later) has a "double file descriptor close" issue during a failed connection attempt when jackd2 is not running. Exploitation success depends on multithreaded timing of that double close, which can result in unintended information disclosure, crashes, or file corruption due to having the wrong file associated with the file descriptor.

Affected (2)

Products: Jackaudio: Jack2 · Alsa Project: Alsa

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jackaudio Jack2	From 1.9.1 to 1.9.12

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Alsa Project Alsa	Up to 1.1.7

References (4)

https://github.com/jackaudio/jack2/pull/480

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/xbmc/xbmc/issues/16258

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/jackaudio/jack2/pull/480

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/xbmc/xbmc/issues/16258

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.