Debian Package Tracker

general

source: sox (main)
version: 14.4.2-3
maintainer: Debian Multimedia Maintainers (archive) [DMD]
uploaders: Jaromír Mikeš [DMD] [dm]
arch: any
std-ver: 4.1.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 14.4.1-5
old-sec: 14.4.1-5+deb8u3
stable: 14.4.1-5+deb9u1
testing: 14.4.2-3
unstable: 14.4.2-3

versioned links

14.4.1-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
14.4.1-5+deb8u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
14.4.1-5+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
14.4.2-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libsox-dev
libsox-fmt-all
libsox-fmt-alsa
libsox-fmt-ao
libsox-fmt-base
libsox-fmt-mp3
libsox-fmt-oss
libsox-fmt-pulse
libsox3
sox

action needed

4 security issues in jessie high

There are 4 open security issues in jessie.

4 important issues:

CVE-2019-8356: An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8355: An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8357: An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2019-8354: An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.

Please fix them.

Created: 2017-08-01 Last update: 2019-04-05 00:42

12 security issues in stretch high

There are 12 open security issues in stretch.

3 important issues:

CVE-2019-8356: An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8355: An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8354: An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.

9 issues skipped by the security teams:

CVE-2017-18189: In the startread function in xa.c in Sound eXchange (SoX) through 14.4.2, a corrupt header specifying zero channels triggers an infinite loop with a resultant NULL pointer dereference, which may allow a remote attacker to cause a denial-of-service.
CVE-2019-8357: An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2017-11359: The wavwritehdr function in wav.c in Sound eXchange (SoX) 14.4.2 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted snd file, during conversion to a wav file.
CVE-2017-11332: The startread function in wav.c in Sound eXchange (SoX) 14.4.2 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted wav file.
CVE-2017-11358: The read_samples function in hcom.c in Sound eXchange (SoX) 14.4.2 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted hcom file.
CVE-2017-15372: There is a stack-based buffer overflow in the lsx_ms_adpcm_block_expand_i function of adpcm.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a denial of service attack during conversion of an audio file.
CVE-2017-15370: There is a heap-based buffer overflow in the ImaExpandS function of ima_rw.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a denial of service attack during conversion of an audio file.
CVE-2017-15642: In lsx_aiffstartread in aiff.c in Sound eXchange (SoX) 14.4.2, there is a Use-After-Free vulnerability triggered by supplying a malformed AIFF file.
CVE-2017-15371: There is a reachable assertion abort in the function sox_append_comment() in formats.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a denial of service attack during conversion of an audio file.

Please fix them.

Created: 2017-08-01 Last update: 2019-04-05 00:42

4 security issues in buster high

There are 4 open security issues in buster.

3 important issues:

CVE-2019-8356: An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8355: An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8354: An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.

1 issue skipped by the security teams:

CVE-2019-8357: An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.

Please fix them.

Created: 2019-02-16 Last update: 2019-04-05 00:42

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2019-8356: An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8355: An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8357: An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2019-8354: An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.

Please fix them.

Created: 2019-02-16 Last update: 2019-04-05 00:42

2 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 8861eb25dc94dcab727bd1cbd08d4d32782a7dd0
Author: Felipe Sateler <fsateler@debian.org>
Date:   Mon Apr 16 13:54:49 2018 -0300

    Change maintainer address to debian-multimedia@lists.debian.org

commit 9ba3f783ccf3a6a529c76f7db7e0b6fe1b3c4c43
Author: Ondřej Nový <onovy@debian.org>
Date:   Mon Feb 19 10:12:24 2018 +0100

    d/control: Set Vcs-* to salsa.debian.org

The Vcs URL is using anonscm.debian.org. Please update it for the move to salsa.debian.org.

Created: 2018-02-19 Last update: 2019-04-19 13:38

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2018-09-12 Last update: 2018-09-12 08:25

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2016-04-07 Last update: 2016-04-07 19:01

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.3.0 instead of 4.1.2).

Created: 2018-04-16 Last update: 2018-12-23 17:15

news

[rss feed]

[2019-03-05] Accepted sox 14.4.1-5+deb8u3 (source amd64) into oldstable (Hugo Lefeuvre)
[2019-02-28] Accepted sox 14.4.1-5+deb8u2 (source amd64) into oldstable (Hugo Lefeuvre)
[2019-02-24] Accepted sox 14.4.1-5+deb8u1 (source amd64) into oldstable (Adrian Bunk)
[2019-02-04] Accepted sox 14.4.1-5+deb9u1 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2017-12-24] sox 14.4.2-3 MIGRATED to testing (Debian testing watch)
[2017-12-18] Accepted sox 14.4.2-3 (source) into unstable (Jaromír Mikeš)
[2017-11-30] Accepted sox 14.4.0-3+deb7u2 (source amd64) into oldoldstable (Markus Koschany)
[2017-11-29] sox 14.4.2-2 MIGRATED to testing (Debian testing watch)
[2017-11-24] Accepted sox 14.4.2-2 (source) into unstable (Jaromír Mikeš)
[2017-11-19] Accepted sox 14.4.2-1 (source amd64) into experimental, experimental (Jaromír Mikeš) (signed by: Sebastian Ramacher)
[2015-01-03] Accepted sox 14.3.1-1+deb6u1 (source i386) into squeeze-lts (Thorsten Alteholz)
[2014-12-30] sox 14.4.1-5 MIGRATED to testing (Britney)
[2014-12-24] Accepted sox 14.4.1-5 (source amd64) into unstable (Pascal Giard)
[2014-12-24] Accepted sox 14.4.0-3+deb7u1 (source) into proposed-updates->stable-new, proposed-updates (Pascal Giard)
[2014-06-01] sox 14.4.1-4 MIGRATED to testing (Debian testing watch)
[2014-05-22] Accepted sox 14.4.1-4 (source amd64) (Pascal Giard)
[2013-05-05] sox 14.4.1-3 MIGRATED to testing (Debian testing watch)
[2013-04-16] Accepted sox 14.4.1-3 (source amd64) (Pascal Giard)
[2013-02-23] Accepted sox 14.4.1-2 (source amd64) (Pascal Giard)
[2013-02-12] Accepted sox 14.4.1-1 (source amd64) (Pascal Giard)
[2013-01-19] Accepted sox 14.4.0-5 (source amd64) (Pascal Giard)
[2013-01-18] Accepted sox 14.4.0-4 (source amd64) (Pascal Giard)
[2012-06-01] sox 14.4.0-3 MIGRATED to testing (Debian testing watch)
[2012-05-07] Accepted sox 14.4.0-3 (source amd64) (Pascal Giard)
[2012-03-12] Accepted sox 14.4.0-2 (source amd64) (Pascal Giard)
[2012-03-11] Accepted sox 14.4.0-1 (source amd64) (Pascal Giard)
[2011-12-21] sox 14.3.2-3 MIGRATED to testing (Debian testing watch)
[2011-12-11] Accepted sox 14.3.2-3 (source amd64) (Pascal Giard)
[2011-09-01] sox 14.3.2-2 MIGRATED to testing (Debian testing watch)
[2011-08-22] Accepted sox 14.3.2-2 (source amd64) (Pascal Giard)

bugs [bug history graph]

all: 12
RC: 0
I&N: 6
M&W: 6
F&P: 0
patch: 0

links

homepage
lintian (0, 2)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 14.4.2-3
2 bugs