CVE-2019-13351

posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as distributed with alsa-plugins 1.1.7 and later) has a "double file descriptor close" issue during a failed connection attempt when jackd2 is not running. Exploitation success depends on multithreaded timing of that double close, which can result in unintended information disclosure, crashes, or file corruption due to having the wrong file associated with the file descriptor.
References
Link Resource
https://github.com/jackaudio/jack2/pull/480 Patch Third Party Advisory
https://github.com/xbmc/xbmc/issues/16258 Exploit Third Party Advisory
https://github.com/jackaudio/jack2/pull/480 Patch Third Party Advisory
https://github.com/xbmc/xbmc/issues/16258 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:jackaudio:jack2:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:alsa-project:alsa:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:24

Type Values Removed Values Added
References () https://github.com/jackaudio/jack2/pull/480 - Patch, Third Party Advisory () https://github.com/jackaudio/jack2/pull/480 - Patch, Third Party Advisory
References () https://github.com/xbmc/xbmc/issues/16258 - Exploit, Third Party Advisory () https://github.com/xbmc/xbmc/issues/16258 - Exploit, Third Party Advisory

Information

Published : 2019-07-05 20:15

Updated : 2024-11-21 04:24


NVD link : CVE-2019-13351

Mitre link : CVE-2019-13351

CVE.ORG link : CVE-2019-13351


JSON object : View

Products Affected

jackaudio

  • jack2

alsa-project

  • alsa