Version in base suite: 14.4.2+git20190427-2 Base version: sox_14.4.2+git20190427-2 Target version: sox_14.4.2+git20190427-2+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/sox/sox_14.4.2+git20190427-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/sox/sox_14.4.2+git20190427-2+deb11u1.dsc changelog | 12 ++++++++ not-installed | 2 + patches/CVE-2017-11358-revised.patch | 42 ++++++++++++++++++++++++++++ patches/CVE-2021-23159.patch | 23 +++++++++++++++ patches/CVE-2021-33844.patch | 28 ++++++++++++++++++ patches/CVE-2021-3643.patch | 20 +++++++++++++ patches/CVE-2021-40426.patch | 28 ++++++++++++++++++ patches/CVE-2022-31650.patch | 46 +++++++++++++++++++++++++++++++ patches/CVE-2022-31651.patch | 25 ++++++++++++++++ patches/fix-hcom-big-endian.patch | 46 +++++++++++++++++++++++++++++++ patches/fix-resource-leak-comments.patch | 13 ++++++++ patches/fix-resource-leak-hcom.patch | 45 ++++++++++++++++++++++++++++++ patches/series | 10 ++++++ rules | 6 ++++ 14 files changed, 346 insertions(+) diff -Nru sox-14.4.2+git20190427/debian/changelog sox-14.4.2+git20190427/debian/changelog --- sox-14.4.2+git20190427/debian/changelog 2020-02-09 10:36:08.000000000 +0000 +++ sox-14.4.2+git20190427/debian/changelog 2023-02-17 16:13:54.000000000 +0000 @@ -1,3 +1,15 @@ +sox (14.4.2+git20190427-2+deb11u1) bullseye-security; urgency=medium + + * CVE-2021-23159 CVE-2021-23172 (Closes: #1021133, #1021134) + * CVE-2021-3643 CVE-2021-23210 (Closes: #1010374) + * CVE-2021-33844 (Closes: #1021135) + * CVE-2021-40426 (Closes: #1012138) + * CVE-2022-31650 (Closes: #1012516) + * CVE-2022-31651 (Closes: #1012516) + * All patches taken from Helmut Grohne's uploads to unstable, thanks! + + -- Moritz Mühlenhoff Fri, 17 Feb 2023 17:13:54 +0100 + sox (14.4.2+git20190427-2) unstable; urgency=medium [ Ondřej Nový ] diff -Nru sox-14.4.2+git20190427/debian/not-installed sox-14.4.2+git20190427/debian/not-installed --- sox-14.4.2+git20190427/debian/not-installed 1970-01-01 00:00:00.000000000 +0000 +++ sox-14.4.2+git20190427/debian/not-installed 2023-02-17 16:13:54.000000000 +0000 @@ -0,0 +1,2 @@ +usr/lib/*/libsox.la +usr/lib/*/sox/libsox_fmt_*.la diff -Nru sox-14.4.2+git20190427/debian/patches/CVE-2017-11358-revised.patch sox-14.4.2+git20190427/debian/patches/CVE-2017-11358-revised.patch --- sox-14.4.2+git20190427/debian/patches/CVE-2017-11358-revised.patch 1970-01-01 00:00:00.000000000 +0000 +++ sox-14.4.2+git20190427/debian/patches/CVE-2017-11358-revised.patch 2023-02-17 16:13:54.000000000 +0000 @@ -0,0 +1,42 @@ +Replace the old Debian patch CVE-2017-11358 with the upstream patch +from Mans: + +From e410d00c4821726accfbe1f825f2def6376e181f Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Sun, 5 Nov 2017 16:43:35 +0000 +Subject: [PATCH] hcom: fix crash on input with corrupt dictionary + (CVE-2017-11358) + +--- + src/hcom.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + + +--- sox-14.4.2+git20190427.orig/src/hcom.c ++++ sox-14.4.2+git20190427/src/hcom.c +@@ -73,6 +73,14 @@ typedef struct { + size_t pos; /* Where next byte goes */ + } priv_t; + ++static int dictvalid(int n, int size, int left, int right) ++{ ++ if (n > 0 && left < 0) ++ return 1; ++ ++ return (unsigned)left < size && (unsigned)right < size; ++} ++ + static int startread(sox_format_t * ft) + { + priv_t *p = (priv_t *) ft->priv; +@@ -150,8 +158,8 @@ static int startread(sox_format_t * ft) + lsx_debug("%d %d", + p->dictionary[i].dict_leftson, + p->dictionary[i].dict_rightson); +- if ((unsigned) p->dictionary[i].dict_leftson >= dictsize || +- (unsigned) p->dictionary[i].dict_rightson >= dictsize) { ++ if (!dictvalid(i, dictsize, p->dictionary[i].dict_leftson, ++ p->dictionary[i].dict_rightson)) { + lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary"); + return SOX_EOF; + } diff -Nru sox-14.4.2+git20190427/debian/patches/CVE-2021-23159.patch sox-14.4.2+git20190427/debian/patches/CVE-2021-23159.patch --- sox-14.4.2+git20190427/debian/patches/CVE-2021-23159.patch 1970-01-01 00:00:00.000000000 +0000 +++ sox-14.4.2+git20190427/debian/patches/CVE-2021-23159.patch 2023-02-17 16:13:54.000000000 +0000 @@ -0,0 +1,23 @@ +From: Helmut Grohne +Subject: hcom: validate dictsize +Bug: https://sourceforge.net/p/sox/bugs/350/ +Bug: https://sourceforge.net/p/sox/bugs/352/ +Bug-Debian: https://bugs.debian.org/1021133 +Bug-Debian: https://bugs.debian.org/1021134 + +This patch fixes both CVE-2021-23159 and CVE-2021-23172. + +--- a/src/hcom.c ++++ b/src/hcom.c +@@ -141,6 +141,11 @@ + return (SOX_EOF); + } + lsx_readw(ft, &dictsize); ++ if (dictsize == 0 || dictsize > 511) ++ { ++ lsx_fail_errno(ft, SOX_EHDR, "Implausible dictionary size in HCOM header"); ++ return SOX_EOF; ++ } + + /* Translate to sox parameters */ + ft->encoding.encoding = SOX_ENCODING_HCOM; diff -Nru sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch --- sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch 1970-01-01 00:00:00.000000000 +0000 +++ sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch 2023-02-17 16:13:54.000000000 +0000 @@ -0,0 +1,28 @@ +From: Helmut Grohne +Subject: wav: reject 0 bits per sample to avoid division by zero +Bug: https://sourceforge.net/p/sox/bugs/349/ +Bug-Debian: https://bugs.debian.org/1021135 + +--- a/src/wav.c ++++ b/src/wav.c +@@ -506,7 +506,7 @@ + unsigned short wChannels; /* number of channels */ + uint32_t dwSamplesPerSecond; /* samples per second per channel */ + uint32_t dwAvgBytesPerSec;/* estimate of bytes per second needed */ +- uint16_t wBitsPerSample; /* bits per sample */ ++ uint16_t wBitsPerSample = 0; /* bits per sample */ + uint32_t wFmtSize; + uint16_t wExtSize = 0; /* extended field for non-PCM */ + +@@ -587,6 +587,11 @@ + lsx_readdw(ft, &dwAvgBytesPerSec); /* Average bytes/second */ + lsx_readw(ft, &(wav->blockAlign)); /* Block align */ + lsx_readw(ft, &wBitsPerSample); /* bits per sample per channel */ ++ if (wBitsPerSample == 0) ++ { ++ lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero"); ++ return SOX_EOF; ++ } + len -= 16; + + if (wav->formatTag == WAVE_FORMAT_EXTENSIBLE) diff -Nru sox-14.4.2+git20190427/debian/patches/CVE-2021-3643.patch sox-14.4.2+git20190427/debian/patches/CVE-2021-3643.patch --- sox-14.4.2+git20190427/debian/patches/CVE-2021-3643.patch 1970-01-01 00:00:00.000000000 +0000 +++ sox-14.4.2+git20190427/debian/patches/CVE-2021-3643.patch 2023-02-17 16:13:54.000000000 +0000 @@ -0,0 +1,20 @@ +From: Helmut Grohne +Subject: voc: word width should never be 0 to avoid division by zero +Bug: https://sourceforge.net/p/sox/bugs/351/ +Bug-Debian: https://bugs.debian.org/1010374 + +This patch fixes both CVE-2021-3643 and CVE-2021-23210. + +--- a/src/voc.c ++++ b/src/voc.c +@@ -614,6 +614,10 @@ + v->rate = new_rate_32; + ft->signal.rate = new_rate_32; + lsx_readb(ft, &uc); ++ if (uc <= 1) { ++ lsx_fail_errno(ft, SOX_EFMT, "2 bits per word required"); ++ return (SOX_EOF); ++ } + v->size = uc; + lsx_readb(ft, &(v->channels)); + lsx_readw(ft, &(v->format)); /* ANN: added format */ diff -Nru sox-14.4.2+git20190427/debian/patches/CVE-2021-40426.patch sox-14.4.2+git20190427/debian/patches/CVE-2021-40426.patch --- sox-14.4.2+git20190427/debian/patches/CVE-2021-40426.patch 1970-01-01 00:00:00.000000000 +0000 +++ sox-14.4.2+git20190427/debian/patches/CVE-2021-40426.patch 2023-02-17 16:13:54.000000000 +0000 @@ -0,0 +1,28 @@ +From: Helmut Grohne +Subject: sphere: avoid integer underflow +Link: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1434 +Bug: https://sourceforge.net/p/sox/bugs/362/ +Bug-Debian: https://bugs.debian.org/1012138 + +--- a/src/sphere.c ++++ b/src/sphere.c +@@ -63,7 +63,8 @@ + return (SOX_EOF); + } + +- header_size -= (strlen(buf) + 1); ++ bytes_read = strlen(buf); ++ header_size -= bytes_read >= header_size ? header_size : bytes_read + 1; + + while (strncmp(buf, "end_head", (size_t)8) != 0) { + if (strncmp(buf, "sample_n_bytes", (size_t)14) == 0) +@@ -105,7 +106,8 @@ + return (SOX_EOF); + } + +- header_size -= (strlen(buf) + 1); ++ bytes_read = strlen(buf); ++ header_size -= bytes_read >= header_size ? header_size : bytes_read + 1; + } + + if (!bytes_per_sample) diff -Nru sox-14.4.2+git20190427/debian/patches/CVE-2022-31650.patch sox-14.4.2+git20190427/debian/patches/CVE-2022-31650.patch --- sox-14.4.2+git20190427/debian/patches/CVE-2022-31650.patch 1970-01-01 00:00:00.000000000 +0000 +++ sox-14.4.2+git20190427/debian/patches/CVE-2022-31650.patch 2023-02-17 16:13:54.000000000 +0000 @@ -0,0 +1,46 @@ +From: Helmut Grohne +Subject: formats+aiff: reject implausibly large number of channels +Bug: https://sourceforge.net/p/sox/bugs/360/ +Bug-Debian: https://bugs.debian.org/1012516 + +--- a/src/formats_i.c ++++ b/src/formats_i.c +@@ -19,6 +19,7 @@ + */ + + #include "sox_i.h" ++#include + #include + #include + #include +@@ -60,9 +61,14 @@ + if (ft->seekable) + ft->data_start = lsx_tell(ft); + +- if (channels && ft->signal.channels && ft->signal.channels != channels) ++ if (channels && ft->signal.channels && ft->signal.channels != channels) { + lsx_warn("`%s': overriding number of channels", ft->filename); +- else ft->signal.channels = channels; ++ } else if (channels > SHRT_MAX) { ++ lsx_fail_errno(ft, EINVAL, "implausibly large number of channels"); ++ return SOX_EOF; ++ } else { ++ ft->signal.channels = channels; ++ } + + if (rate && ft->signal.rate && ft->signal.rate != rate) + lsx_warn("`%s': overriding sample rate", ft->filename); +--- sox-14.4.2+git20190427.orig/src/aiff.c ++++ sox-14.4.2+git20190427/src/aiff.c +@@ -609,6 +609,11 @@ + At 48 kHz, 16 bits stereo, this gives ~3 hours of audio. + Sorry, the AIFF format does not provide for an indefinite + number of samples. */ ++ if (ft->signal.channels >= (0x7f000000 / (ft->encoding.bits_per_sample >> 3))) ++ { ++ lsx_fail_errno(ft, SOX_EOF, "too many channels for AIFF header"); ++ return SOX_EOF; ++ } + return(aiffwriteheader(ft, (uint64_t) 0x7f000000 / ((ft->encoding.bits_per_sample>>3)*ft->signal.channels))); + } + diff -Nru sox-14.4.2+git20190427/debian/patches/CVE-2022-31651.patch sox-14.4.2+git20190427/debian/patches/CVE-2022-31651.patch --- sox-14.4.2+git20190427/debian/patches/CVE-2022-31651.patch 1970-01-01 00:00:00.000000000 +0000 +++ sox-14.4.2+git20190427/debian/patches/CVE-2022-31651.patch 2023-02-17 16:13:54.000000000 +0000 @@ -0,0 +1,25 @@ +From: Helmut Grohne +Subject: formats: reject implausible rate +Bug: https://sourceforge.net/p/sox/bugs/360/ +Bug-Debian: https://bugs.debian.org/1012516 + +--- a/src/formats_i.c ++++ b/src/formats_i.c +@@ -70,9 +70,15 @@ + ft->signal.channels = channels; + } + +- if (rate && ft->signal.rate && ft->signal.rate != rate) ++ if (rate && ft->signal.rate && ft->signal.rate != rate) { + lsx_warn("`%s': overriding sample rate", ft->filename); +- else ft->signal.rate = rate; ++ /* Since NaN comparisons yield false, the negation rejects them. */ ++ } else if (!(rate > 0)) { ++ lsx_fail_errno(ft, EINVAL, "invalid rate value"); ++ return SOX_EOF; ++ } else { ++ ft->signal.rate = rate; ++ } + + if (encoding && ft->encoding.encoding && ft->encoding.encoding != encoding) + lsx_warn("`%s': overriding encoding type", ft->filename); diff -Nru sox-14.4.2+git20190427/debian/patches/fix-hcom-big-endian.patch sox-14.4.2+git20190427/debian/patches/fix-hcom-big-endian.patch --- sox-14.4.2+git20190427/debian/patches/fix-hcom-big-endian.patch 1970-01-01 00:00:00.000000000 +0000 +++ sox-14.4.2+git20190427/debian/patches/fix-hcom-big-endian.patch 2023-02-17 16:13:54.000000000 +0000 @@ -0,0 +1,46 @@ +From 18d2609a2362a43928d45bbd806b17ebd7fa8eb8 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Sat, 28 Apr 2018 18:53:46 +0100 +Subject: [PATCH] hcom: fix pointer type confusion [bug #308] + +The compress() call fails on big endian systems with size_t bigger +than int32_t. Fix by using the correct types. +--- + src/hcom.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +From 998208fd1c18fcbbf2a5bcabdbcec72649cfc387 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Thu, 27 Aug 2015 16:57:26 +0100 +Subject: [PATCH] hcom: fix double free on writing zero-length file + +--- + src/hcom.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/hcom.c b/src/hcom.c +index f7c88d07..00653ed9 100644 +--- a/src/hcom.c ++++ b/src/hcom.c +@@ -441,13 +441,14 @@ static int stopwrite(sox_format_t * ft) + { + priv_t *p = (priv_t *) ft->priv; + unsigned char *compressed_data = p->data; +- size_t compressed_len = p->pos; ++ int32_t compressed_len = p->pos; + int rc = SOX_SUCCESS; + + /* Compress it all at once */ +- if (compressed_len) +- compress(ft, &compressed_data, (int32_t *)&compressed_len); +- free(p->data); ++ if (compressed_len) { ++ compress(ft, &compressed_data, &compressed_len); ++ free(p->data); ++ } + + /* Write the header */ + lsx_writebuf(ft, "\000\001A", (size_t) 3); /* Dummy file name "A" */ +-- +2.39.1 + diff -Nru sox-14.4.2+git20190427/debian/patches/fix-resource-leak-comments.patch sox-14.4.2+git20190427/debian/patches/fix-resource-leak-comments.patch --- sox-14.4.2+git20190427/debian/patches/fix-resource-leak-comments.patch 1970-01-01 00:00:00.000000000 +0000 +++ sox-14.4.2+git20190427/debian/patches/fix-resource-leak-comments.patch 2023-02-17 16:13:54.000000000 +0000 @@ -0,0 +1,13 @@ +From: Helmut Grohne +Subject: fix a resource leak of comments on input parsing failure + +--- a/src/formats.c ++++ b/src/formats.c +@@ -572,6 +572,7 @@ error: + free(ft->priv); + free(ft->filename); + free(ft->filetype); ++ sox_delete_comments(&ft->oob.comments); + free(ft); + return NULL; + } diff -Nru sox-14.4.2+git20190427/debian/patches/fix-resource-leak-hcom.patch sox-14.4.2+git20190427/debian/patches/fix-resource-leak-hcom.patch --- sox-14.4.2+git20190427/debian/patches/fix-resource-leak-hcom.patch 1970-01-01 00:00:00.000000000 +0000 +++ sox-14.4.2+git20190427/debian/patches/fix-resource-leak-hcom.patch 2023-02-17 16:13:54.000000000 +0000 @@ -0,0 +1,45 @@ +From: Helmut Grohne +Subject: hcom: fix dictionary resource leaks + +startread and stopread should release p->dictionary in all failure modes. + +--- a/src/hcom.c ++++ b/src/hcom.c +@@ -160,13 +160,18 @@ + p->dictionary[i].dict_rightson); + if (!dictvalid(i, dictsize, p->dictionary[i].dict_leftson, + p->dictionary[i].dict_rightson)) { ++ free(p->dictionary); ++ p->dictionary = NULL; + lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary"); + return SOX_EOF; + } + } + rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */ +- if (rc) ++ if (rc) { ++ free(p->dictionary); ++ p->dictionary = NULL; + return rc; ++ } + + /* Initialized the decompression engine */ + p->checksum = checksum; +@@ -248,6 +253,8 @@ + { + register priv_t *p = (priv_t *) ft->priv; + ++ free(p->dictionary); ++ p->dictionary = NULL; + if (p->huffcount != 0) + { + lsx_fail_errno(ft,SOX_EFMT,"not all HCOM data read"); +@@ -258,8 +265,6 @@ + lsx_fail_errno(ft,SOX_EFMT,"checksum error in HCOM data"); + return (SOX_EOF); + } +- free(p->dictionary); +- p->dictionary = NULL; + return (SOX_SUCCESS); + } + diff -Nru sox-14.4.2+git20190427/debian/patches/series sox-14.4.2+git20190427/debian/patches/series --- sox-14.4.2+git20190427/debian/patches/series 2020-02-09 10:31:44.000000000 +0000 +++ sox-14.4.2+git20190427/debian/patches/series 2023-02-17 16:13:54.000000000 +0000 @@ -16,3 +16,13 @@ 0018-CVE-2019-8356.patch 0019-CVE-2019-8357.patch 0020-CVE-2019-13590.patch +CVE-2017-11358-revised.patch +CVE-2021-23159.patch +CVE-2021-33844.patch +CVE-2021-3643.patch +CVE-2021-40426.patch +CVE-2022-31650.patch +CVE-2022-31651.patch +fix-hcom-big-endian.patch +fix-resource-leak-comments.patch +fix-resource-leak-hcom.patch diff -Nru sox-14.4.2+git20190427/debian/rules sox-14.4.2+git20190427/debian/rules --- sox-14.4.2+git20190427/debian/rules 2020-02-09 10:31:44.000000000 +0000 +++ sox-14.4.2+git20190427/debian/rules 2023-02-17 16:13:54.000000000 +0000 @@ -6,6 +6,12 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed +# Ignore test failure on mipsen, see #1030674 +IGNORE_TEST_FAILURE= +ifneq (,$(filter mips%,$(DEB_BUILD_ARCH))) + IGNORE_TEST_FAILURE=- +endif + %: dh $@