Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sox for openSUSE:Factory checked in at 2023-10-25 18:04:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sox (Old) and /work/SRC/openSUSE:Factory/.sox.new.24901 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sox" Wed Oct 25 18:04:39 2023 rev:46 rq:1120235 version:14.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/sox/sox.changes 2023-09-02 22:08:24.804893904 +0200 +++ /work/SRC/openSUSE:Factory/.sox.new.24901/sox.changes 2023-10-25 18:05:24.471659626 +0200 @@ -1,0 +2,16 @@ +Wed Oct 25 11:26:52 UTC 2023 - Takashi Iwai <ti...@suse.com> + +- Apply various fix patches taken from Debian package; + it fixes also other entries (CVE-2022-31650 bsc#1212060 + CVE-2023-34318 bsc#1212062 CVE-2023-34432 bsc#1212063): + CVE-2019-13590.patch + CVE-2021-3643.patch + CVE-2021-23159.patch + CVE-2021-33844.patch + CVE-2021-40426.patch + CVE-2022-31650.patch + CVE-2022-31651.patch +- Fix floating point exception in src/voc.c (CVE-2023-32627 bsc#1212061): + CVE-2023-32627.patch + +------------------------------------------------------------------- New: ---- CVE-2019-13590.patch CVE-2021-23159.patch CVE-2021-33844.patch CVE-2021-3643.patch CVE-2021-40426.patch CVE-2022-31650.patch CVE-2022-31651.patch CVE-2023-32627.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sox.spec ++++++ --- /var/tmp/diff_new_pack.awDFDV/_old 2023-10-25 18:05:25.819704963 +0200 +++ /var/tmp/diff_new_pack.awDFDV/_new 2023-10-25 18:05:25.819704963 +0200 @@ -21,7 +21,7 @@ Version: 14.4.2 Release: 0 Summary: Sound Conversion Tools -License: LGPL-2.1-or-later AND GPL-2.0-or-later +License: GPL-2.0-or-later AND LGPL-2.1-or-later URL: https://sox.sourceforge.net Source0: http://downloads.sourceforge.net/project/sox/sox/%{version}/%{name}-%{version}.tar.bz2 Patch0: CVE-2017-11332.patch @@ -32,6 +32,14 @@ Patch5: CVE-2017-15370.patch Patch6: CVE-2017-15372.patch Patch7: CVE-2017-18189.patch +Patch8: CVE-2019-13590.patch +Patch9: CVE-2021-3643.patch +Patch10: CVE-2021-23159.patch +Patch11: CVE-2021-33844.patch +Patch12: CVE-2021-40426.patch +Patch13: CVE-2022-31650.patch +Patch14: CVE-2022-31651.patch +Patch15: CVE-2023-32627.patch BuildRequires: file-devel BuildRequires: ladspa-devel BuildRequires: libgsm-devel ++++++ CVE-2019-13590.patch ++++++ >From 7b6a889217d62ed7e28188621403cc7542fd1f7e Mon Sep 17 00:00:00 2001 From: Mans Rullgard <m...@mansr.com> Date: Tue, 4 Feb 2020 12:55:18 +0000 Subject: [PATCH] sox-fmt: validate comments_bytes before use (CVE-2019-13590) [bug #325] Cap the comments size to 1 GB to avoid overflows in subsequent arithmetic. The missing null check mentioned in the bug report is bogus since lsx_calloc() returns a valid pointer or aborts. --- src/sox-fmt.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/sox-fmt.c b/src/sox-fmt.c index aad965cd..11c88771 100644 --- a/src/sox-fmt.c +++ b/src/sox-fmt.c @@ -46,7 +46,9 @@ static int startread(sox_format_t * ft) lsx_readdw(ft, &comments_bytes)) return SOX_EOF; - if (((headers_bytes + 4) & 7) || headers_bytes < FIXED_HDR + comments_bytes || + if (((headers_bytes + 4) & 7) || + comments_bytes > 0x40000000 || /* max 1 GB */ + headers_bytes < FIXED_HDR + comments_bytes || (num_channels > 65535)) /* Reserve top 16 bits */ { lsx_fail_errno(ft, SOX_EHDR, "invalid sox file format header"); return SOX_EOF; -- 2.39.1 ++++++ CVE-2021-23159.patch ++++++ From: Helmut Grohne <hel...@subdivi.de> Subject: hcom: validate dictsize Bug: https://sourceforge.net/p/sox/bugs/350/ Bug: https://sourceforge.net/p/sox/bugs/352/ Bug-Debian: https://bugs.debian.org/1021133 Bug-Debian: https://bugs.debian.org/1021134 This patch fixes both CVE-2021-23159 and CVE-2021-23172. --- a/src/hcom.c +++ b/src/hcom.c @@ -141,6 +141,11 @@ return (SOX_EOF); } lsx_readw(ft, &dictsize); + if (dictsize == 0 || dictsize > 511) + { + lsx_fail_errno(ft, SOX_EHDR, "Implausible dictionary size in HCOM header"); + return SOX_EOF; + } /* Translate to sox parameters */ ft->encoding.encoding = SOX_ENCODING_HCOM; ++++++ CVE-2021-33844.patch ++++++ From: Helmut Grohne <hel...@subdivi.de> Subject: wav: reject 0 bits per sample to avoid division by zero Bug: https://sourceforge.net/p/sox/bugs/349/ Bug-Debian: https://bugs.debian.org/1021135 --- src/testall.sh | 1 + src/wav.c | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-) --- a/src/wav.c +++ b/src/wav.c @@ -506,7 +506,7 @@ static int startread(sox_format_t * ft) unsigned short wChannels; /* number of channels */ uint32_t dwSamplesPerSecond; /* samples per second per channel */ uint32_t dwAvgBytesPerSec;/* estimate of bytes per second needed */ - uint16_t wBitsPerSample; /* bits per sample */ + uint16_t wBitsPerSample = 0; /* bits per sample */ uint32_t wFmtSize; uint16_t wExtSize = 0; /* extended field for non-PCM */ @@ -954,6 +954,11 @@ static int startread(sox_format_t * ft) break; default: + if (ft->encoding.bits_per_sample == 0) + { + lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero"); + return SOX_EOF; + } wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample) / ft->signal.channels; ft->signal.length = wav->numSamples * ft->signal.channels; } --- a/src/testall.sh +++ b/src/testall.sh @@ -67,3 +67,4 @@ t voc t vox -r 8130 t wav t wve +t wav -e gsm-full-rate ++++++ CVE-2021-3643.patch ++++++ From: Helmut Grohne <hel...@subdivi.de> Subject: voc: word width should never be 0 to avoid division by zero Bug: https://sourceforge.net/p/sox/bugs/351/ Bug-Debian: https://bugs.debian.org/1010374 This patch fixes both CVE-2021-3643 and CVE-2021-23210. --- a/src/voc.c +++ b/src/voc.c @@ -614,6 +614,10 @@ v->rate = new_rate_32; ft->signal.rate = new_rate_32; lsx_readb(ft, &uc); + if (uc <= 1) { + lsx_fail_errno(ft, SOX_EFMT, "2 bits per word required"); + return (SOX_EOF); + } v->size = uc; lsx_readb(ft, &(v->channels)); lsx_readw(ft, &(v->format)); /* ANN: added format */ ++++++ CVE-2021-40426.patch ++++++ From: Helmut Grohne <hel...@subdivi.de> Subject: sphere: avoid integer underflow Link: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1434 Bug: https://sourceforge.net/p/sox/bugs/362/ Bug-Debian: https://bugs.debian.org/1012138 --- a/src/sphere.c +++ b/src/sphere.c @@ -63,7 +63,8 @@ return (SOX_EOF); } - header_size -= (strlen(buf) + 1); + bytes_read = strlen(buf); + header_size -= bytes_read >= header_size ? header_size : bytes_read + 1; while (strncmp(buf, "end_head", (size_t)8) != 0) { if (strncmp(buf, "sample_n_bytes", (size_t)14) == 0) @@ -105,7 +106,8 @@ return (SOX_EOF); } - header_size -= (strlen(buf) + 1); + bytes_read = strlen(buf); + header_size -= bytes_read >= header_size ? header_size : bytes_read + 1; } if (!bytes_per_sample) ++++++ CVE-2022-31650.patch ++++++ From: Helmut Grohne <hel...@subdivi.de> Subject: formats+aiff: reject implausibly large number of channels Bug: https://sourceforge.net/p/sox/bugs/360/ Bug-Debian: https://bugs.debian.org/1012516 --- a/src/formats_i.c +++ b/src/formats_i.c @@ -19,6 +19,7 @@ */ #include "sox_i.h" +#include <limits.h> #include <string.h> #include <sys/stat.h> #include <stdarg.h> @@ -60,9 +61,14 @@ if (ft->seekable) ft->data_start = lsx_tell(ft); - if (channels && ft->signal.channels && ft->signal.channels != channels) + if (channels && ft->signal.channels && ft->signal.channels != channels) { lsx_warn("`%s': overriding number of channels", ft->filename); - else ft->signal.channels = channels; + } else if (channels > SHRT_MAX) { + lsx_fail_errno(ft, EINVAL, "implausibly large number of channels"); + return SOX_EOF; + } else { + ft->signal.channels = channels; + } if (rate && ft->signal.rate && ft->signal.rate != rate) lsx_warn("`%s': overriding sample rate", ft->filename); --- sox-14.4.2+git20190427.orig/src/aiff.c +++ sox-14.4.2+git20190427/src/aiff.c @@ -609,6 +609,11 @@ At 48 kHz, 16 bits stereo, this gives ~3 hours of audio. Sorry, the AIFF format does not provide for an indefinite number of samples. */ + if (ft->signal.channels >= (0x7f000000 / (ft->encoding.bits_per_sample >> 3))) + { + lsx_fail_errno(ft, SOX_EOF, "too many channels for AIFF header"); + return SOX_EOF; + } return(aiffwriteheader(ft, (uint64_t) 0x7f000000 / ((ft->encoding.bits_per_sample>>3)*ft->signal.channels))); } ++++++ CVE-2022-31651.patch ++++++ From: Helmut Grohne <hel...@subdivi.de> Subject: formats: reject implausible rate Bug: https://sourceforge.net/p/sox/bugs/360/ Bug-Debian: https://bugs.debian.org/1012516 --- a/src/formats_i.c +++ b/src/formats_i.c @@ -70,9 +70,15 @@ ft->signal.channels = channels; } - if (rate && ft->signal.rate && ft->signal.rate != rate) + if (rate && ft->signal.rate && ft->signal.rate != rate) { lsx_warn("`%s': overriding sample rate", ft->filename); - else ft->signal.rate = rate; + /* Since NaN comparisons yield false, the negation rejects them. */ + } else if (!(rate > 0)) { + lsx_fail_errno(ft, EINVAL, "invalid rate value"); + return SOX_EOF; + } else { + ft->signal.rate = rate; + } if (encoding && ft->encoding.encoding && ft->encoding.encoding != encoding) lsx_warn("`%s': overriding encoding type", ft->filename); ++++++ CVE-2023-32627.patch ++++++ From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <ro...@debian.org> Date: Sun, 13 Aug 2023 14:14:09 +0000 Subject: CVE-2023-32627 Filter null sampling rate in VOC coder Avoid a divide by zero and out of bound read by rejecting null sampling rate in VOC file bug: https://sourceforge.net/p/sox/bugs/369/ bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=2212282 bug-debian: https://bugs.debian.org/1041112 bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-32627 --- src/voc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/voc.c b/src/voc.c index f44933d..cad32fa 100644 --- a/src/voc.c +++ b/src/voc.c @@ -351,6 +351,11 @@ static size_t read_samples(sox_format_t * ft, sox_sample_t * buf, v->block_remaining = 0; return done; } + if(uc == 0) { + lsx_fail_errno(ft, EINVAL, "invalid rate value"); + v->block_remaining = 0; + return done; + } *buf = SOX_UNSIGNED_8BIT_TO_SAMPLE(uc,); lsx_adpcm_init(&v->adpcm, 6 - v->size, SOX_SAMPLE_TO_SIGNED_16BIT(*buf, ft->clips)); ++buf;
