Your message dated Tue, 14 Mar 2023 21:49:41 +0000
with message-id <[email protected]>
and subject line unblock sox
has caused the Debian Bug report #1032933,
regarding unblock: sox/14.4.2+git20190427-3.5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1032933: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032933
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:sox
Please unblock package sox
[ Reason ]
I recently performed a security update of sox in unstable and that
happened to migrate to testing. Now it was reported (#1032082) that sox
would no longer be able to parse WAV GSM files. This turns out to be a
regression in my fix for CVE-2021-33844. The .5 upload fixes this
regression and adds a test case.
[ Impact ]
sox will be able to parse WAV GSM files again.
[ Tests ]
The patch adds a test case to the upstream test suite.
[ Risks ]
The diff is short, but the original change was believed not to be risky
already and it turned out to be bad, so keep the fingers crossed. I
appreciate if someone actually reviews the change to avoid me looking
bad again.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
The bug was backported to stable and oldstable. We plan to update them
via a regression DSA and a regression DLA. SRM involvement not needed.
unblock sox/14.4.2+git20190427-3.5
Helmut
diff --minimal -Nru sox-14.4.2+git20190427/debian/changelog
sox-14.4.2+git20190427/debian/changelog
--- sox-14.4.2+git20190427/debian/changelog 2023-02-07 22:21:09.000000000
+0100
+++ sox-14.4.2+git20190427/debian/changelog 2023-03-12 10:07:49.000000000
+0100
@@ -1,3 +1,11 @@
+sox (14.4.2+git20190427-3.5) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix regression in wav-gsm decodeing introduced via fixing CVE-2021-33844.
+ (Closes: #1032082)
+
+ -- Helmut Grohne <[email protected]> Sun, 12 Mar 2023 10:07:49 +0100
+
sox (14.4.2+git20190427-3.4) unstable; urgency=medium
* Non-maintainer upload.
diff --minimal -Nru sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch
sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch
--- sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch 2023-01-28
19:34:07.000000000 +0100
+++ sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch 2023-03-12
10:07:49.000000000 +0100
@@ -14,15 +14,22 @@
uint32_t wFmtSize;
uint16_t wExtSize = 0; /* extended field for non-PCM */
-@@ -587,6 +587,11 @@
- lsx_readdw(ft, &dwAvgBytesPerSec); /* Average bytes/second */
- lsx_readw(ft, &(wav->blockAlign)); /* Block align */
- lsx_readw(ft, &wBitsPerSample); /* bits per sample per channel */
-+ if (wBitsPerSample == 0)
-+ {
-+ lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero");
-+ return SOX_EOF;
-+ }
- len -= 16;
+@@ -954,6 +959,11 @@
+ break;
- if (wav->formatTag == WAVE_FORMAT_EXTENSIBLE)
+ default:
++ if (ft->encoding.bits_per_sample == 0)
++ {
++ lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero");
++ return SOX_EOF;
++ }
+ wav->numSamples = div_bits(qwDataLength,
ft->encoding.bits_per_sample) / ft->signal.channels;
+ ft->signal.length = wav->numSamples * ft->signal.channels;
+ }
+--- a/src/testall.sh
++++ b/src/testall.sh
+@@ -67,3 +67,4 @@
+ t vox -r 8130
+ t wav
+ t wve
++t wav -e gsm-full-rate
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---