Package: release.debian.org User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: s...@packages.debian.org, secur...@debian.org Control: affects -1 + src:sox
Please unblock package sox [ Reason ] I recently performed a security update of sox in unstable and that happened to migrate to testing. Now it was reported (#1032082) that sox would no longer be able to parse WAV GSM files. This turns out to be a regression in my fix for CVE-2021-33844. The .5 upload fixes this regression and adds a test case. [ Impact ] sox will be able to parse WAV GSM files again. [ Tests ] The patch adds a test case to the upstream test suite. [ Risks ] The diff is short, but the original change was believed not to be risky already and it turned out to be bad, so keep the fingers crossed. I appreciate if someone actually reviews the change to avoid me looking bad again. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] The bug was backported to stable and oldstable. We plan to update them via a regression DSA and a regression DLA. SRM involvement not needed. unblock sox/14.4.2+git20190427-3.5 Helmut
diff --minimal -Nru sox-14.4.2+git20190427/debian/changelog sox-14.4.2+git20190427/debian/changelog --- sox-14.4.2+git20190427/debian/changelog 2023-02-07 22:21:09.000000000 +0100 +++ sox-14.4.2+git20190427/debian/changelog 2023-03-12 10:07:49.000000000 +0100 @@ -1,3 +1,11 @@ +sox (14.4.2+git20190427-3.5) unstable; urgency=medium + + * Non-maintainer upload. + * Fix regression in wav-gsm decodeing introduced via fixing CVE-2021-33844. + (Closes: #1032082) + + -- Helmut Grohne <hel...@subdivi.de> Sun, 12 Mar 2023 10:07:49 +0100 + sox (14.4.2+git20190427-3.4) unstable; urgency=medium * Non-maintainer upload. diff --minimal -Nru sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch --- sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch 2023-01-28 19:34:07.000000000 +0100 +++ sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch 2023-03-12 10:07:49.000000000 +0100 @@ -14,15 +14,22 @@ uint32_t wFmtSize; uint16_t wExtSize = 0; /* extended field for non-PCM */ -@@ -587,6 +587,11 @@ - lsx_readdw(ft, &dwAvgBytesPerSec); /* Average bytes/second */ - lsx_readw(ft, &(wav->blockAlign)); /* Block align */ - lsx_readw(ft, &wBitsPerSample); /* bits per sample per channel */ -+ if (wBitsPerSample == 0) -+ { -+ lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero"); -+ return SOX_EOF; -+ } - len -= 16; +@@ -954,6 +959,11 @@ + break; - if (wav->formatTag == WAVE_FORMAT_EXTENSIBLE) + default: ++ if (ft->encoding.bits_per_sample == 0) ++ { ++ lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero"); ++ return SOX_EOF; ++ } + wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample) / ft->signal.channels; + ft->signal.length = wav->numSamples * ft->signal.channels; + } +--- a/src/testall.sh ++++ b/src/testall.sh +@@ -67,3 +67,4 @@ + t vox -r 8130 + t wav + t wve ++t wav -e gsm-full-rate