Source: jackd2 Version: 1.9.12~dfsg-2 Severity: important Tags: security upstream
Hi, The following vulnerability was published for jackd2. CVE-2019-13351[0]: | posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as | distributed with alsa-plugins 1.1.7 and later) has a "double file | descriptor close" issue during a failed connection attempt when jackd2 | is not running. Exploitation success depends on multithreaded timing | of that double close, which can result in unintended information | disclosure, crashes, or file corruption due to having the wrong file | associated with the file descriptor. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-13351 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13351 [1] https://github.com/jackaudio/jack2/pull/480 Regards, Salvatore
