Debian Package Tracker

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2019-13590: An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h (startread function), there is an integer overflow on the result of integer addition (wraparound to 0) fed into the lsx_calloc macro that wraps malloc. When a NULL pointer is returned, it is used without a prior check that it is a valid pointer, leading to a NULL pointer dereference on lsx_readbuf in formats_i.c.

Please fix it.

Created: 2019-07-14 Last update: 2019-08-16 15:15

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2019-13590: An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h (startread function), there is an integer overflow on the result of integer addition (wraparound to 0) fed into the lsx_calloc macro that wraps malloc. When a NULL pointer is returned, it is used without a prior check that it is a valid pointer, leading to a NULL pointer dereference on lsx_readbuf in formats_i.c.

Please fix it.

Created: 2019-07-14 Last update: 2019-08-16 15:15

14 security issues in stretch high

There are 14 open security issues in stretch.

4 important issues:

CVE-2019-8356: An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8354: An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355: An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8357: An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.

10 issues skipped by the security teams:

CVE-2017-11332: The startread function in wav.c in Sound eXchange (SoX) 14.4.2 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted wav file.
CVE-2019-1010004: SoX - Sound eXchange 14.4.2 and earlier is affected by: Out-of-bounds Read. The impact is: Denial of Service. The component is: read_samples function at xa.c:219. The attack vector is: Victim must open specially crafted .xa file. NOTE: this may overlap CVE-2017-18189.
CVE-2017-11359: The wavwritehdr function in wav.c in Sound eXchange (SoX) 14.4.2 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted snd file, during conversion to a wav file.
CVE-2017-15370: There is a heap-based buffer overflow in the ImaExpandS function of ima_rw.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a denial of service attack during conversion of an audio file.
CVE-2017-11358: The read_samples function in hcom.c in Sound eXchange (SoX) 14.4.2 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted hcom file.
CVE-2019-13590: An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h (startread function), there is an integer overflow on the result of integer addition (wraparound to 0) fed into the lsx_calloc macro that wraps malloc. When a NULL pointer is returned, it is used without a prior check that it is a valid pointer, leading to a NULL pointer dereference on lsx_readbuf in formats_i.c.
CVE-2017-15372: There is a stack-based buffer overflow in the lsx_ms_adpcm_block_expand_i function of adpcm.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a denial of service attack during conversion of an audio file.
CVE-2017-18189: In the startread function in xa.c in Sound eXchange (SoX) through 14.4.2, a corrupt header specifying zero channels triggers an infinite loop with a resultant NULL pointer dereference, which may allow a remote attacker to cause a denial-of-service.
CVE-2017-15642: In lsx_aiffstartread in aiff.c in Sound eXchange (SoX) 14.4.2, there is a Use-After-Free vulnerability triggered by supplying a malformed AIFF file.
CVE-2017-15371: There is a reachable assertion abort in the function sox_append_comment() in formats.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a denial of service attack during conversion of an audio file.

Please fix them.

Created: 2017-08-01 Last update: 2019-08-16 15:15

11 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit c5cc3f49f6f9db03b31cf9e25a11178af91d6c10
Author: Ondřej Nový <onovy@debian.org>
Date:   Sat Jul 20 00:51:17 2019 +0200

    Use debhelper-compat instead of debian/compat

commit 1ca9b29cf067da66492524185889358f27eccc50
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 17:44:21 2019 -0400

    Fix changelog

commit 8b7d71d0095a688a6f344345c47de7480ac414bd
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 17:36:42 2019 -0400

    reverting src/fft4g.h, changed by mistake.

commit 42744fad52c1d7f13a90d8c9c14dcaec1a15006f
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 17:08:56 2019 -0400

    Fixing 0017-CVE-2019-8355.patch.

commit 39ee7a600bbe0937db5f022cb44374d34807a98c
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 16:47:36 2019 -0400

    Add patch for CVE-2019-8356.

commit 69b6411ac706cb87055a4738f2c6e66942f0634d
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 16:44:11 2019 -0400

    Readding 0019 patch after testing.

commit 25a1916789d82d5f87616f37e089cb05f3f25a5f
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 16:42:54 2019 -0400

    Fixing 0016-CVE-2019-8354.patch

commit 4a12e7a5666531cae23ee1f524b004cb93c62da1
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 16:11:56 2019 -0400

    Add CVE-2019-8354 and CVE-2019-8356 patches.

commit da5518e4b67e710ed9a8f1193620c4fee56e34fa
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 15:59:21 2019 -0400

    Add patch to fix CVE-2017-15372.

commit 8861eb25dc94dcab727bd1cbd08d4d32782a7dd0
Author: Felipe Sateler <fsateler@debian.org>
Date:   Mon Apr 16 13:54:49 2018 -0300

    Change maintainer address to debian-multimedia@lists.debian.org

commit 9ba3f783ccf3a6a529c76f7db7e0b6fe1b3c4c43
Author: Ondřej Nový <onovy@debian.org>
Date:   Mon Feb 19 10:12:24 2018 +0100

    d/control: Set Vcs-* to salsa.debian.org

Created: 2018-02-19 Last update: 2019-08-16 21:04

1 ignored security issue in jessie low

There is 1 open security issue in jessie.

1 issue skipped by the security teams:

CVE-2019-13590: An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h (startread function), there is an integer overflow on the result of integer addition (wraparound to 0) fed into the lsx_calloc macro that wraps malloc. When a NULL pointer is returned, it is used without a prior check that it is a valid pointer, leading to a NULL pointer dereference on lsx_readbuf in formats_i.c.

Please fix it.

Created: 2019-07-14 Last update: 2019-08-16 15:15

1 ignored security issue in buster low

There is 1 open security issue in buster.

1 issue skipped by the security teams:

CVE-2019-13590: An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h (startread function), there is an integer overflow on the result of integer addition (wraparound to 0) fed into the lsx_calloc macro that wraps malloc. When a NULL pointer is returned, it is used without a prior check that it is a valid pointer, leading to a NULL pointer dereference on lsx_readbuf in formats_i.c.

Please fix it.

Created: 2019-07-14 Last update: 2019-08-16 15:15

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2016-04-07 Last update: 2016-04-07 19:01

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.0 instead of 4.1.2).

Created: 2018-04-16 Last update: 2019-07-08 20:07