Debian Package Tracker

general

source: sox (main)
version: 14.4.2+git20190427-1
maintainer: Debian Multimedia Maintainers (archive) [DMD]
uploaders: Jaromír Mikeš [DMD] [dm]
arch: any
std-ver: 4.1.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 14.4.1-5
old-sec: 14.4.1-5+deb8u4
stable: 14.4.1-5+deb9u1
testing: 14.4.2+git20190427-1
unstable: 14.4.2+git20190427-1

versioned links

14.4.1-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
14.4.1-5+deb8u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
14.4.1-5+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
14.4.2+git20190427-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libsox-dev
libsox-fmt-all
libsox-fmt-alsa
libsox-fmt-ao
libsox-fmt-base
libsox-fmt-mp3
libsox-fmt-oss
libsox-fmt-pulse
libsox3
sox (10 bugs: 0, 4, 6, 0)

action needed

12 security issues in stretch high

There are 12 open security issues in stretch.

4 important issues:

CVE-2019-8354: An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355: An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356: An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357: An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.

8 issues skipped by the security teams:

CVE-2017-11332: The startread function in wav.c in Sound eXchange (SoX) 14.4.2 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted wav file.
CVE-2017-11358: The read_samples function in hcom.c in Sound eXchange (SoX) 14.4.2 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted hcom file.
CVE-2017-15371: There is a reachable assertion abort in the function sox_append_comment() in formats.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a denial of service attack during conversion of an audio file.
CVE-2017-15642: In lsx_aiffstartread in aiff.c in Sound eXchange (SoX) 14.4.2, there is a Use-After-Free vulnerability triggered by supplying a malformed AIFF file.
CVE-2017-15370: There is a heap-based buffer overflow in the ImaExpandS function of ima_rw.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a denial of service attack during conversion of an audio file.
CVE-2017-11359: The wavwritehdr function in wav.c in Sound eXchange (SoX) 14.4.2 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted snd file, during conversion to a wav file.
CVE-2017-18189: In the startread function in xa.c in Sound eXchange (SoX) through 14.4.2, a corrupt header specifying zero channels triggers an infinite loop with a resultant NULL pointer dereference, which may allow a remote attacker to cause a denial-of-service.
CVE-2017-15372: There is a stack-based buffer overflow in the lsx_ms_adpcm_block_expand_i function of adpcm.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a denial of service attack during conversion of an audio file.

Please fix them.

Created: 2017-08-01 Last update: 2019-05-28 09:47

10 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 1ca9b29cf067da66492524185889358f27eccc50
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 17:44:21 2019 -0400

    Fix changelog

commit 8b7d71d0095a688a6f344345c47de7480ac414bd
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 17:36:42 2019 -0400

    reverting src/fft4g.h, changed by mistake.

commit 42744fad52c1d7f13a90d8c9c14dcaec1a15006f
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 17:08:56 2019 -0400

    Fixing 0017-CVE-2019-8355.patch.

commit 39ee7a600bbe0937db5f022cb44374d34807a98c
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 16:47:36 2019 -0400

    Add patch for CVE-2019-8356.

commit 69b6411ac706cb87055a4738f2c6e66942f0634d
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 16:44:11 2019 -0400

    Readding 0019 patch after testing.

commit 25a1916789d82d5f87616f37e089cb05f3f25a5f
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 16:42:54 2019 -0400

    Fixing 0016-CVE-2019-8354.patch

commit 4a12e7a5666531cae23ee1f524b004cb93c62da1
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 16:11:56 2019 -0400

    Add CVE-2019-8354 and CVE-2019-8356 patches.

commit da5518e4b67e710ed9a8f1193620c4fee56e34fa
Author: Tiago Bortoletto Vaz <tiago@debian.org>
Date:   Sat Apr 27 15:59:21 2019 -0400

    Add patch to fix CVE-2017-15372.

commit 8861eb25dc94dcab727bd1cbd08d4d32782a7dd0
Author: Felipe Sateler <fsateler@debian.org>
Date:   Mon Apr 16 13:54:49 2018 -0300

    Change maintainer address to debian-multimedia@lists.debian.org

commit 9ba3f783ccf3a6a529c76f7db7e0b6fe1b3c4c43
Author: Ondřej Nový <onovy@debian.org>
Date:   Mon Feb 19 10:12:24 2018 +0100

    d/control: Set Vcs-* to salsa.debian.org

Created: 2018-02-19 Last update: 2019-06-24 14:35

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2018-09-12 Last update: 2018-09-12 08:25

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2016-04-07 Last update: 2016-04-07 19:01

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.3.0 instead of 4.1.2).

Created: 2018-04-16 Last update: 2019-04-28 09:06

news

[rss feed]

[2019-05-28] Accepted sox 14.4.1-5+deb8u4 (source amd64) into oldstable (Emilio Pozuelo Monfort)
[2019-05-03] sox 14.4.2+git20190427-1 MIGRATED to testing (Debian testing watch)
[2019-04-27] Accepted sox 14.4.2+git20190427-1 (source amd64) into unstable (Tiago Bortoletto Vaz)
[2019-03-05] Accepted sox 14.4.1-5+deb8u3 (source amd64) into oldstable (Hugo Lefeuvre)
[2019-02-28] Accepted sox 14.4.1-5+deb8u2 (source amd64) into oldstable (Hugo Lefeuvre)
[2019-02-24] Accepted sox 14.4.1-5+deb8u1 (source amd64) into oldstable (Adrian Bunk)
[2019-02-04] Accepted sox 14.4.1-5+deb9u1 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2017-12-24] sox 14.4.2-3 MIGRATED to testing (Debian testing watch)
[2017-12-18] Accepted sox 14.4.2-3 (source) into unstable (Jaromír Mikeš)
[2017-11-30] Accepted sox 14.4.0-3+deb7u2 (source amd64) into oldoldstable (Markus Koschany)
[2017-11-29] sox 14.4.2-2 MIGRATED to testing (Debian testing watch)
[2017-11-24] Accepted sox 14.4.2-2 (source) into unstable (Jaromír Mikeš)
[2017-11-19] Accepted sox 14.4.2-1 (source amd64) into experimental, experimental (Jaromír Mikeš) (signed by: Sebastian Ramacher)
[2015-01-03] Accepted sox 14.3.1-1+deb6u1 (source i386) into squeeze-lts (Thorsten Alteholz)
[2014-12-30] sox 14.4.1-5 MIGRATED to testing (Britney)
[2014-12-24] Accepted sox 14.4.1-5 (source amd64) into unstable (Pascal Giard)
[2014-12-24] Accepted sox 14.4.0-3+deb7u1 (source) into proposed-updates->stable-new, proposed-updates (Pascal Giard)
[2014-06-01] sox 14.4.1-4 MIGRATED to testing (Debian testing watch)
[2014-05-22] Accepted sox 14.4.1-4 (source amd64) (Pascal Giard)
[2013-05-05] sox 14.4.1-3 MIGRATED to testing (Debian testing watch)
[2013-04-16] Accepted sox 14.4.1-3 (source amd64) (Pascal Giard)
[2013-02-23] Accepted sox 14.4.1-2 (source amd64) (Pascal Giard)
[2013-02-12] Accepted sox 14.4.1-1 (source amd64) (Pascal Giard)
[2013-01-19] Accepted sox 14.4.0-5 (source amd64) (Pascal Giard)
[2013-01-18] Accepted sox 14.4.0-4 (source amd64) (Pascal Giard)
[2012-06-01] sox 14.4.0-3 MIGRATED to testing (Debian testing watch)
[2012-05-07] Accepted sox 14.4.0-3 (source amd64) (Pascal Giard)
[2012-03-12] Accepted sox 14.4.0-2 (source amd64) (Pascal Giard)
[2012-03-11] Accepted sox 14.4.0-1 (source amd64) (Pascal Giard)
[2011-12-21] sox 14.3.2-3 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 12
RC: 0
I&N: 6
M&W: 6
F&P: 0
patch: 0

links

homepage
lintian (0, 2)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 14.4.2+git20190427-1
2 bugs