oss-sec mailing list archives

Re: Re: sox: patches for old vulnerabilities

From: Steffen Nurpmeso <steffen () sdaoden eu>
Date: Tue, 14 Mar 2023 20:11:32 +0100

Hello and greetings.

Helmut Grohne wrote in
 <20230314110138.GA1192267 () subdivi de>:
 |On Fri, Feb 03, 2023 at 09:44:47PM +0100, Helmut Grohne wrote:
 |>  * CVE-2021-33844
 |
 |The original fix for this issue would cause a regression. After applying
 |it, sox would be unable to decode WAV GSM files. This has been reported
 ...
 |I see that most distributions (e.g. RedHat, SUSE, Gentoo, etc.) have not
 |picked up the faulty patch. Ubuntu inherited it from Debian and will
 |likely inherit the fix as it gets fixed in Debian releases.

You have chosen not to update to latest possible git(?).

  ...
 |From: Helmut Grohne <helmut () subdivi de>
 |Subject: wav: reject 0 bits per sample to avoid division by zero
 |Bug: https://sourceforge.net/p/sox/bugs/349/
 |Bug-Debian: https://bugs.debian.org/1021135
 ...
 |--- a/src/wav.c
 |+++ b/src/wav.c
 ...
 |     default:
 |+        if (ft->encoding.bits_per_sample == 0)
 |+        {
 |+            lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample \
 |is zero");
 |+            return SOX_EOF;
 |+        }


Now, latest git removed support for built-in GSM, and i am too
lazy and angry (do not get me started on Microsoft and OAuth for
a normal "app" that is to read mail, they now no longer accept
simple token refresh but with re-authenticating a 1024 or so bit
password after 3600 seconds, and then fail to accept SMTP even
though it is included, POP3 is not there anyway even though
announced, but IMAP is right -- is anybody here??  But that is
off-topic; just like my single-line graylister fix to support
verbose logs in non-development code, sic) to check it.

_But_ .. "default" is mysterious, there is WAVE_FORMAT_GSM610
right above, and it is optional in latest git, which does not even
support the "default:" label.
How can you reach "default:", thus?

 |         wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sam\
 |         ple) / ft->signal.channels;
 |         ft->signal.length = wav->numSamples * ft->signal.channels;
 |}

 --End of <20230314110138.GA1192267 () subdivi de>

Subdivision is a top-modern song of Rush, no?

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Current thread:

sox: patches for old vulnerabilities Helmut Grohne (Feb 03)
- Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Feb 04)
- Re: sox: patches for old vulnerabilities Helmut Grohne (Mar 14)
  - Re: Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Mar 14)
    - Re: Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Mar 14)
    - Re: Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Mar 30)
    - Re: Re: sox: patches for old vulnerabilities Nam Nguyen (Mar 31)
    - Re: Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Mar 31)