CVE-2018-10771
Description
Stack-based buffer overflow in abcm2ps through 8.13.20 allows denial of service via crafted ABC file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in abcm2ps through 8.13.20 allows denial of service via crafted ABC file.
Vulnerability
A stack-based buffer overflow exists in the get_key function in parse.c of abcm2ps through version 8.13.20. The vulnerability can be triggered by processing a specially crafted ABC music notation file, leading to a stack smashing detection and crash [1].
Exploitation
An attacker can exploit this vulnerability by supplying a malicious ABC file to the abcm2ps application. When the program parses the file, the get_key function at parse.c:4081 performs a stack buffer overflow, as demonstrated in the provided debug trace [1]. No authentication or special privileges are required; the attack is remote if the user opens the crafted file.
Impact
Successful exploitation causes a denial of service (application crash) due to stack corruption. The crash is confirmed via a stack smashing detection leading to SIGABRT [1]. The description also mentions possibly unspecified other impact, though no further details are available.
Mitigation
The vulnerability exists in abcm2ps through version 8.13.20. No fixed version is mentioned in the available references [1]. Users should monitor the project for updates and consider applying any patches when released. Until then, avoid processing untrusted ABC files.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A stack-based buffer overflow exists in the get_key function due to insufficient bounds checking on user-supplied input."
Attack vector
Remote attackers can trigger this vulnerability by providing a specially crafted input file to the abcm2ps application. The vulnerability is triggered within the `get_key` function when parsing this input. This leads to a stack smashing detection and application crash, indicating a denial of service.
Affected code
The vulnerability resides in the `get_key` function located in the `parse.c` file. The crash occurs at line 4081 within this function, as indicated by the backtrace [ref_id=1]. This function is called by `get_info`, which is part of the tune processing.
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. Remediation guidance suggests updating to a version that addresses this issue, but specific changes are not detailed.
Preconditions
- inputThe attacker must provide a malicious input file that exploits the buffer overflow in the `get_key` function.
Reproduction
The provided reference includes debugging output and a backtrace from running the application with a file named 'POC2', which demonstrates the stack smashing detection and subsequent termination of the program [ref_id=1].
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGDXW2I3MY3QH4PJXLJET5QZZXMXTNWO/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSTB65NYYCKU7O6RF5B6CYY5IA6CA66Y/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6DUTXB4EC3TQHTTAAIBKJ54GJTF6Y7V/mitrevendor-advisoryx_refsource_FEDORA
- drive.google.com/openmitrex_refsource_MISC
- github.com/leesavide/abcm2ps/issues/17mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2022/04/msg00015.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.