oss-sec mailing list archives

Re: sox: patches for old vulnerabilities

From: Helmut Grohne <helmut () subdivi de>
Date: Tue, 14 Mar 2023 12:01:38 +0100

On Fri, Feb 03, 2023 at 09:44:47PM +0100, Helmut Grohne wrote:

 * CVE-2021-33844


The original fix for this issue would cause a regression. After applying
it, sox would be unable to decode WAV GSM files. This has been reported
as https://bugs.debian.org/1032082. I am attaching an updated patch that
fixes this regression. It is meant to replace the previous patch. The
updated patch includes a regression test case to avoid repeating the
mistake.

I see that most distributions (e.g. RedHat, SUSE, Gentoo, etc.) have not
picked up the faulty patch. Ubuntu inherited it from Debian and will
likely inherit the fix as it gets fixed in Debian releases.

Helmut

Attachment: CVE-2021-33844.patch
Description:

Current thread:

sox: patches for old vulnerabilities Helmut Grohne (Feb 03)
- Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Feb 04)
- Re: sox: patches for old vulnerabilities Helmut Grohne (Mar 14)
  - Re: Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Mar 14)
    - Re: Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Mar 14)
    - Re: Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Mar 30)
    - Re: Re: sox: patches for old vulnerabilities Nam Nguyen (Mar 31)
    - Re: Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Mar 31)