oss-sec mailing list archives
sox: patches for old vulnerabilities
From: Helmut Grohne <helmut () subdivi de>
Date: Fri, 3 Feb 2023 21:44:47 +0100
Hi, I am working on fixing known vulnerabilities in sox and since upstream seems mostly dead (no commits in more than a year, no replies to bug reports), I am posting my results here. My work on sox is compensated by Freexian SARL. I located two distinct memory leaks. The fix for CVE-2017-11358 introduced a regression. Reading any hcom file would result in an error. This made the test suite fail, but since nobody seems to run the test suite, this ended up being shipped in e.g. multiple Debian releases. On 64bit big endian systems, a 64bit integer is incorrectly truncated to the upper 32bits. This subsequently causes an assertion failure or a stack overflow in a -DNDEBUG build. This issue also breaks the test suite. I do not think that this is exploitable and do not intend to request a CVE. I'm attaching patches for these as well as patches for the following vulnerabilities: * CVE-2021-3643 and CVE-2021-23210 * CVE-2021-23159 and CVE-2021-23172 * CVE-2021-33844 * CVE-2021-40426 * CVE-2022-31650 * CVE-2022-31651 I welcome reviews and propose adding these patches to distributions that ship sox. I will upload these patches to Debian. Please Cc me in replies. Helmut
Attachment:
fix-resource-leak-comments.patch
Description:
Attachment:
fix-resource-leak-hcom.patch
Description:
Attachment:
fix-regression-in-CVE-2017-11358.patch
Description:
Attachment:
fix-hcom-big-endian.patch
Description:
Attachment:
CVE-2021-23159.patch
Description:
Attachment:
CVE-2021-33844.patch
Description:
Attachment:
CVE-2021-3643.patch
Description:
Attachment:
CVE-2021-40426.patch
Description:
Attachment:
CVE-2022-31650.patch
Description:
Attachment:
CVE-2022-31651.patch
Description:
Current thread:
- sox: patches for old vulnerabilities Helmut Grohne (Feb 03)
- Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Feb 04)
- Re: sox: patches for old vulnerabilities Helmut Grohne (Mar 14)
- Re: Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Mar 14)
- Re: Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Mar 14)
- Re: Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Mar 30)
- Re: Re: sox: patches for old vulnerabilities Nam Nguyen (Mar 31)
- Re: Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Mar 31)
- Re: Re: sox: patches for old vulnerabilities Steffen Nurpmeso (Mar 14)