Package        : faad2
Version        : 2.7-8+deb8u3
CVE ID         : CVE-2018-19502 CVE-2018-20196 CVE-2018-20199 CVE-2018-20360 
                 CVE-2019-6956 CVE-2019-15296
Debian Bug     : 914641

Multiple vulnerabilities have been discovered in faad2, the Freeware Advanced
Audio Coder:

CVE-2018-19502

    Heap buffer overflow in the function excluded_channels (libfaad/syntax.c).
    This vulnerability might allow remote attackers to cause denial of service
    via crafted MPEG AAC data.

CVE-2018-20196

    Stack buffer overflow in the function calculate_gain (libfaad/br_hfadj.c).
    This vulnerability might allow remote attackers to cause denial of service
    or any unspecified impact via crafted MPEG AAC data.

CVE-2018-20199
CVE-2018-20360

    NULL pointer dereference in the function ifilter_bank (libfaad/filtbank.c).
    This vulnerability might allow remote attackers to cause denial of service
    via crafted MPEG AAC data.

CVE-2019-6956

    Global buffer overflow in the function ps_mix_phase (libfaad/ps_dec.c).
    This vulnerability might allow remote attackers to cause denial of service
    or any other unspecified impact via crafted MPEG AAC data.

CVE-2019-15296

    Buffer overflow in the function faad_resetbits (libfaad/bits.c). This
    vulnerability might allow remote attackers to cause denial of service via
    crafted MPEG AAC data.

For Debian 8 "Jessie", these problems have been fixed in version
2.7-8+deb8u3.

We recommend that you upgrade your faad2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS