UBUNTU-CVE-2019-13351

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2019-13351
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13351.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2019-13351
Upstream
Downstream
Related
Published
2019-07-05T20:15:00Z
Modified
2026-04-22T12:10:09.612851Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • Ubuntu - low
Summary
[none]
Details

posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as distributed with alsa-plugins 1.1.7 and later) has a "double file descriptor close" issue during a failed connection attempt when jackd2 is not running. Exploitation success depends on multithreaded timing of that double close, which can result in unintended information disclosure, crashes, or file corruption due to having the wrong file associated with the file descriptor.

References

Affected packages

Ubuntu:Pro:16.04:LTS / jackd2

Package

Name
jackd2
Purl
pkg:deb/ubuntu/jackd2@1.9.10+20150825git1ed50c92~dfsg-1ubuntu1+esm1?arch=source&distro=esm-infra/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.10+20150825git1ed50c92~dfsg-1ubuntu1+esm1

Affected versions

1.*
1.9.10+20140719git3eb0ae6a~dfsg-3ubuntu1
1.9.10+20150825git1ed50c92~dfsg-1ubuntu1

Ecosystem specific 

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "jackd2",
            "binary_version": "1.9.10+20150825git1ed50c92~dfsg-1ubuntu1+esm1"
        },
        {
            "binary_name": "jackd2-firewire",
            "binary_version": "1.9.10+20150825git1ed50c92~dfsg-1ubuntu1+esm1"
        },
        {
            "binary_name": "libjack-jackd2-0",
            "binary_version": "1.9.10+20150825git1ed50c92~dfsg-1ubuntu1+esm1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13351.json"

Ubuntu:18.04:LTS / jackd2

Package

Name
jackd2
Purl
pkg:deb/ubuntu/jackd2@1.9.12~dfsg-2?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.9.10+20150825git1ed50c92~dfsg-5ubuntu1
1.9.10+20150825git1ed50c92~dfsg-6
1.9.12~dfsg-2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "jackd2",
            "binary_version": "1.9.12~dfsg-2"
        },
        {
            "binary_name": "jackd2-firewire",
            "binary_version": "1.9.12~dfsg-2"
        },
        {
            "binary_name": "libjack-jackd2-0",
            "binary_version": "1.9.12~dfsg-2"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13351.json"

Ubuntu:20.04:LTS / jackd2

Package

Name
jackd2
Purl
pkg:deb/ubuntu/jackd2@1.9.12~dfsg-2ubuntu2?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.12~dfsg-2ubuntu2

Affected versions

1.*
1.9.12~dfsg-2build1
1.9.12~dfsg-2build2
1.9.12~dfsg-2ubuntu1

Ecosystem specific 

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "jackd2",
            "binary_version": "1.9.12~dfsg-2ubuntu2"
        },
        {
            "binary_name": "jackd2-firewire",
            "binary_version": "1.9.12~dfsg-2ubuntu2"
        },
        {
            "binary_name": "libjack-jackd2-0",
            "binary_version": "1.9.12~dfsg-2ubuntu2"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13351.json"