CVE-2019-13351

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-13351
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13351.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-13351
Downstream
Published
2019-07-05T20:15:14.200Z
Modified
2026-04-16T04:40:40.252655596Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as distributed with alsa-plugins 1.1.7 and later) has a "double file descriptor close" issue during a failed connection attempt when jackd2 is not running. Exploitation success depends on multithreaded timing of that double close, which can result in unintended information disclosure, crashes, or file corruption due to having the wrong file associated with the file descriptor.

References

Affected packages

Git / github.com/jackaudio/jack2

Affected ranges

Type
GIT
Repo
https://github.com/jackaudio/jack2
Events
Introduced
6c6cb46f5e66bb1b3f16beb9d7ad829bc0252509
Last affected
c1647819eed6d11f94b21981d9c869629299f357
Database specific 
{
    "versions": [
        {
            "introduced": "1.9.1"
        },
        {
            "last_affected": "1.9.12"
        }
    ]
}

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "1.1.7"
            }
        ]
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13351.json"