Debian Patches

Status for sox/14.4.2+git20190427-3.5

Patch Description Author Forwarded Bugs Origin Last update
0001-fix-build.patch fix build Mans Rullgard <mans@mansr.com> not-needed
0003-spelling.patch spelling fixes
===================================================================
Jaromr Mike <mira.mikes@seznam.cz> invalid
0005-CVE-2017-15371.patch [PATCH] flac: fix crash on corrupt metadata (CVE-2017-15371) Mans Rullgard <mans@mansr.com> no 2017-11-05
CVE-2017-11358.patch [PATCH] hcom: fix crash on input with corrupt dictionary (CVE-2017-11358) Mans Rullgard <mans@mansr.com> no 2017-11-05
0007-CVE-2017-15370.patch [PATCH] wav: ima_adpcm: fix buffer overflow on corrupt input (CVE-2017-15370)

Add the same check bad block size as was done for MS adpcm in commit
f39c574b ("More checks for invalid MS ADPCM blocks").
Mans Rullgard <mans@mansr.com> no 2017-11-05
0008-CVE-2017-11332.patch [PATCH] wav: fix crash if channel count is zero (CVE-2017-11332) Mans Rullgard <mans@mansr.com> no 2017-11-05
0009-CVE-2017-11359.patch [PATCH] wav: fix crash writing header when channel count >64k (CVE-2017-11359) Mans Rullgard <mans@mansr.com> no 2017-11-05
0010-wavpack_check_errors.patch wavpack: check errors when initializinghttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881145
Jaromr Mike <mira.mikes@seznam.cz>

src/wavpack.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/src/wavpack.c b/src/wavpack.c
index 9e525cd4..b7e8dafa 100644
Eric Wong <normalperson@yhbt.net> not-needed
0011-lintian-man-sox.patch Fix - W: sox: manpage-has-errors-from-man usr/share/man/man1/sox.1.gz file `<standard input>' Jaromr Mike <mira.mikes@seznam.cz>

diff --git a/sox.1 b/sox.1
index 2c4ca47..4241862 100644
gabor.karsay@gmx.at invalid
0012-xa-validate-channel-count.patch A corrupt header specifying zero channels would send read_channels()into an infinite loop. Prevent this by sanity checking the channel
count in open_read(). Also add an upper bound to prevent overflow
in multiplication.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881121
Jaromr Mike <mira.mikes@seznam.cz>
Mans Rullgard <mans@mansr.com> not-needed
0013-CVE-2017-15372.patch adpcm: fix stack overflow with >4 channels (CVE-2017-15372) Mans Rullgard <mans@mansr.com> no 2017-11-08
0014-CVE-2017-15642.patch This fixes a use after free and double free if an empty commentchunk follows a non-empty one. Mans Rullgard <mans@mansr.com> not-needed
0015-Handle-vorbis_analysis_headerout-errors.patch [PATCH] Handle vorbis_analysis_headerout errors
This is related to

https://github.com/xiph/vorbis/pull/34

but could also happen today with on other errors in the called function.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882236
=?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org> invalid 2017-11-15
0016-CVE-2019-8354.patch no
0017-CVE-2019-8355.patch no
0018-CVE-2019-8356.patch no
0019-CVE-2019-8357.patch no
0020-CVE-2019-13590.patch no
fix-resource-leak-comments.patch fix a resource leak of comments on input parsing failure Helmut Grohne <helmut@subdivi.de> no
fix-resource-leak-hcom.patch hcom: fix dictionary resource leaks
startread and stopread should release p->dictionary in all failure modes.
Helmut Grohne <helmut@subdivi.de> no
fix-hcom-big-endian.patch [PATCH] hcom: fix pointer type confusion [bug #308]
The compress() call fails on big endian systems with size_t bigger
than int32_t. Fix by using the correct types.
Mans Rullgard <mans@mansr.com> no 2018-04-28
CVE-2021-3643.patch voc: word width should never be 0 to avoid division by zero
This patch fixes both CVE-2021-3643 and CVE-2021-23210.
Helmut Grohne <helmut@subdivi.de> yes debian upstream
CVE-2021-23159.patch hcom: validate dictsize
This patch fixes both CVE-2021-23159 and CVE-2021-23172.
Helmut Grohne <helmut@subdivi.de> yes debian upstream
CVE-2021-33844.patch wav: reject 0 bits per sample to avoid division by zero Helmut Grohne <helmut@subdivi.de> yes debian upstream
CVE-2021-40426.patch sphere: avoid integer underflow Helmut Grohne <helmut@subdivi.de> yes debian upstream
CVE-2022-31650.patch formats+aiff: reject implausibly large number of channels Helmut Grohne <helmut@subdivi.de> yes debian upstream
CVE-2022-31651.patch formats: reject implausible rate Helmut Grohne <helmut@subdivi.de> yes debian upstream

All known versions for source package 'sox'

Links