Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Attached debdiff fixes a number of bugs in sox. These have been in jessie
for a while already (Stretch and Jessie have the same base version as the
package was unmaintained for a while) and I've ran some of the POCs on
the Stretch build. Debdiff below.
Cheers,
Moritz
diff -Nru sox-14.4.1/debian/changelog sox-14.4.1/debian/changelog
--- sox-14.4.1/debian/changelog 2019-02-01 16:18:21.0 +0100
+++ sox-14.4.1/debian/changelog 2019-08-16 00:28:55.0 +0200
@@ -1,3 +1,16 @@
+sox (14.4.1-5+deb9u2) stretch; urgency=medium
+
+ * Sync up patches with 14.4.1-5+deb8u4 (sans some uncommented patches)
+CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 (Closes: #927906)
+CVE-2019-1010004 CVE-2017-18189 (Closes: #881121)
+CVE-2017-15642 (Closes: #882144)
+CVE-2017-15372 (Closes: #878808)
+CVE-2017-15371 (Closes: #878809)
+CVE-2017-15370 (Closes: #878810)
+CVE-2017-11359 CVE-2017-11358 CVE-2017-11332 (Closes: #870328)
+
+ -- Moritz Mühlenhoff Fri, 16 Aug 2019 00:28:55 +0200
+
sox (14.4.1-5+deb9u1) stretch; urgency=medium
* Non-maintainer upload.
diff -Nru sox-14.4.1/debian/patches/0001-Clean-up-lsx_malloc-and-friends.patch
sox-14.4.1/debian/patches/0001-Clean-up-lsx_malloc-and-friends.patch
--- sox-14.4.1/debian/patches/0001-Clean-up-lsx_malloc-and-friends.patch
1970-01-01 01:00:00.0 +0100
+++ sox-14.4.1/debian/patches/0001-Clean-up-lsx_malloc-and-friends.patch
2019-05-10 01:08:00.0 +0200
@@ -0,0 +1,80 @@
+From ccedd08802f62ed896f69d778e6a106d00f9ab58 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard
+Date: Tue, 8 Dec 2015 22:52:41 +
+Subject: [PATCH 1/5] Clean up lsx_malloc() and friends
+
+---
+ src/Makefile.am | 2 +-
+ src/xmalloc.c | 30 +-
+ src/xmalloc.h | 7 ---
+ 3 files changed, 30 insertions(+), 9 deletions(-)
+
+diff --git a/src/xmalloc.c b/src/xmalloc.c
+index 9bf15969..56fe6944 100644
+--- a/src/xmalloc.c
b/src/xmalloc.c
+@@ -20,6 +20,16 @@
+ #include "sox_i.h"
+ #include
+
++static void *lsx_checkptr(void *ptr)
++{
++ if (!ptr) {
++lsx_fail("out of memory");
++exit(2);
++ }
++
++ return ptr;
++}
++
+ /* Resize an allocated memory area; abort if not possible.
+ *
+ * For malloc, `If the size of the space requested is zero, the behavior is
+@@ -34,10 +44,20 @@ void *lsx_realloc(void *ptr, size_t newsize)
+ return NULL;
+ }
+
+- if ((ptr = realloc(ptr, newsize)) == NULL) {
+-lsx_fail("out of memory");
+-exit(2);
+- }
++ return lsx_checkptr(realloc(ptr, newsize));
++}
+
+- return ptr;
++void *lsx_malloc(size_t size)
++{
++ return lsx_checkptr(malloc(size + !size));
++}
++
++void *lsx_calloc(size_t n, size_t size)
++{
++ return lsx_checkptr(calloc(n + !n, size + !size));
++}
++
++char *lsx_strdup(const char *s)
++{
++ return lsx_checkptr(strdup(s));
+ }
+diff --git a/src/xmalloc.h b/src/xmalloc.h
+index 9ee77f63..92ac64d9 100644
+--- a/src/xmalloc.h
b/src/xmalloc.h
+@@ -23,10 +23,11 @@
+ #include
+ #include
+
+-#define lsx_malloc(size) lsx_realloc(NULL, (size))
+-#define lsx_calloc(n,s) (((n)*(s))? memset(lsx_malloc((n)*(s)),0,(n)*(s)) :
NULL)
++LSX_RETURN_VALID void *lsx_malloc(size_t size);
++LSX_RETURN_VALID void *lsx_calloc(size_t n, size_t size);
++LSX_RETURN_VALID char *lsx_strdup(const char *s);
++
+ #define lsx_Calloc(v,n) v = lsx_calloc(n,sizeof(*(v)))
+-#define lsx_strdup(p) ((p)? strcpy((char *)lsx_malloc(strlen(p) + 1), p) :
NULL)
+ #define lsx_memdup(p,s) ((p)? memcpy(lsx_malloc(s), p, s) : NULL)
+ #define lsx_valloc(v,n) v = lsx_malloc((n)*sizeof(*(v)))
+ #define lsx_revalloc(v,n) v = lsx_realloc(v, (n)*sizeof(*(v)))
+--
+2.20.1
+
diff -Nru
sox-14.4.1/debian/patches/0002-fix-possible-buffer-size-overflow-in-lsx_make_lpf-CV.patch
sox-14.4.1/debian/patches/0002-fix-possible-buffer-size-overflow-in-lsx_make_lpf-CV.patch
---
sox-14.4.1/debian/patches/0002-fix-possible-buffer-size-overflow-in-lsx_make_lpf-CV.patch
1970-01-01 01:00:00.0 +0100
+++
sox-14.4.1/debian/patches/0002-fix-possible-buffer-size-overflow-in-lsx_make_lpf-CV.patch
2019-05-10 01:08:00.0 +0200
@@ -0,0 +1,23 @@
+From f70911261a84333b077c29908e1242f69d7439eb Mon Sep 17 00:00:00 2001
+From: Mans Rullgard
+Date: Wed, 24 Apr 2019 14:57:34 +0100
+Subject: [PATCH 2/5] fix possible buffer size overflow in lsx_make_lpf()
+ (CVE-2019-8354)
+
+The multiplication in the size argument malloc() might overflow,
+resulting in a small buffer being allocated. Use calloc() instead.
+---
+ src/effects_i_dsp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/effects_i_dsp.c
b/src/effects_i_dsp.c
+@@ -256,7 +256,7 @@
+ double * lsx_make_lpf(int num_taps, double Fc, double beta, double scale,
sox_bool dc_norm)
+ {
+ int i, m = num_taps - 1;
+- double * h = malloc(num_taps * sizeof(*h)), sum = 0;
++