Skip to content

cherry-pick sox 14.4.2 commits from master to scarthgap-next for CVE fixes #970

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kk6ho wants to merge 13 commits into
base: scarthgap-next
Choose a base branch
from
Open

cherry-pick sox 14.4.2 commits from master to scarthgap-next for CVE fixes #970

kk6ho wants to merge 13 commits into from

Conversation

@kk6ho
Copy link
Contributor

@kk6ho kk6ho commented Jun 19, 2025

sox: Cherry pick the following commits from master to scarthgap-next for CVE patches.

11b3888757 sox: mark CVE-2023-34432 as patched
4e1a7ed350 sox: patch CVE-2023-32627
89c017821a sox: patch CVE-2022-31651
545ab1a7ad sox: patch CVE-2022-31650
69bef92b56 sox: patch CVE-2021-40426
59085af7b2 sox: patch CVE-2021-33844
777186c4fb sox: patch CVE-2021-23159 and CVE-2021-2317
d7ba0e6cd9 sox: patch CVE-2021-3643 and CVE-2021-23210
afb0d8d2c6 sox: mark CVEs included in hash update as fixed
0ae4736226 sox: update to latest git hash
c578d2a000 sox: build from git
a68c3df41c sox: extend CVE_PRODUCT
8866910fdd sox: Fix build with GCC-14

All are related to CVE fixes except 8866910fdd sox: Fix build with GCC-14 which is safe to include because it it backward compatible with the scarthgap gcc 13 compiler.

kraj and others added 13 commits June 19, 2025 14:24
@kraj @kk6ho
sox: Fix build with GCC-14
e3a0ca9 
Signed-off-by: Khem Raj <raj.khem@gmail.com>
@petermarko @kk6ho
sox: extend CVE_PRODUCT
c50ed52 
Add all relevant items from queries:
$ sqlite3 nvdcve_2-2.db
sqlite> select vendor, product, count(*) from products where product like '%sox%' group by vendor, product;
commugen|sox_365|1
libsox_project|libsox|1
sox|sox|3
sox_project|sox|10
sqlite> select vendor, product, count(*) from products where product like '%sound_exchange%' group by vendor, product;
sound_exchange_project|sound_exchange|16

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
@petermarko @kk6ho
sox: build from git
39ab3ac 
Last release was done in 2015 but development still continues.
Switch to git sources to allow update.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
@petermarko @kk6ho
sox: update to latest git hash
16ab676 
Resolve many CVEs and other bugs.

$ git describe --tags
sox-14.4.2-184-gf3094754
$ git log -1 HEAD | grep Date:
Date:   Thu May 30 14:46:01 2024 +0100

Recipe changes:
* removed 0001-Update-exported-symbol-list.patch
  this commit is included now
* refreshed 0001-remove-the-error-line-and-live-without-file-type-det.patch
* 0001-tests-Include-math.h-for-fabs-definition.patch
  affected file was deleted from sources
* added autoconf-archive-native dependency
  for newly used AX_APPEND_COMPILE_FLAGS macro
* changed some config options from with/without to enable/disable
  https://sourceforge.net/p/sox/code/ci/6ff0e9322f9891f5a6ac6c9b3bceffbfca16bec3/
* added +git to PV to indicate version not on hash

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
@petermarko @kk6ho
sox: mark CVEs included in hash update as fixed
8831fe1 
git log sox-14.4.2..HEAD | grep -o 'CVE-[0-9-]*' | sort -u
CVE-2017-11332
CVE-2017-11358
CVE-2017-11359
CVE-2017-15370
CVE-2017-15371
CVE-2017-15372
CVE-2017-15642
CVE-2017-18189
CVE-2019-13590
CVE-2019-8354
CVE-2019-8355
CVE-2019-8356
CVE-2019-8357

Following remaining CVEs are handled in commits:
CVE-2019-1010004
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-1010004
- report: https://sourceforge.net/p/sox/bugs/299/
- patch: https://sourceforge.net/p/sox/code/ci/09d7388c8ad5701ed9c59d1d600ff6154b066397/
- same commit as CVE-2017-18189 as mentioned in NVD and bugreport texts
- https://security-tracker.debian.org/tracker/CVE-2019-1010004 links it
- it's only commit in src/xa.c in last 15 years

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
@petermarko @kk6ho
sox: patch CVE-2021-3643 and CVE-2021-23210
5082642 
Use patch from Debian:
https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-3643.patch

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
@petermarko @kk6ho
sox: patch CVE-2021-23159 and CVE-2021-2317
e8b420a 
Use patch from Debian:
https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-23159.patch

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
@petermarko @kk6ho
sox: patch CVE-2021-33844
80b5f3d 
Use patch from Debian:
https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-33844.patch

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
@petermarko @kk6ho
sox: patch CVE-2021-40426
62bdd0d 
Use patch from Debian:
https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-40426.patch

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
@petermarko @kk6ho
sox: patch CVE-2022-31650
babf742 
Use patch from Debian:
https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31650.patch

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
@petermarko @kk6ho
sox: patch CVE-2022-31651
2fc3abf 
Use patch from Debian:
https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31651.patch

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
@petermarko @kk6ho
sox: patch CVE-2023-32627
1b6a546 
Use patch from Debian:
https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/0028-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
@petermarko @kk6ho
sox: mark CVE-2023-34432 as patched
1ad2d84 
Patch for CVE-2021-23159 fixes also this CVE.
Stated by:
* https://security-tracker.debian.org/tracker/CVE-2023-34432
* https://sourceforge.net/p/sox/bugs/367/

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
@OldManYellsAtCloud
Copy link
Contributor

OldManYellsAtCloud commented Sep 6, 2025

The current Scarthgap version is indeed ancient... do you happen to know if there were any breaking changes (mostly thinking about dropped features or other API incompatibility) between the Scarthgap and Master revisions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@akuster akuster

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kk6ho @OldManYellsAtCloud @akuster @kraj @petermarko