From e3a0ca97cb831d5cf9751aee26651bee4e24fc4e Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Sun, 19 May 2024 09:14:18 -0700 Subject: [PATCH 01/13] sox: Fix build with GCC-14 Signed-off-by: Khem Raj --- ...s-Include-math.h-for-fabs-definition.patch | 33 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 34 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/0001-tests-Include-math.h-for-fabs-definition.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/0001-tests-Include-math.h-for-fabs-definition.patch b/meta-multimedia/recipes-multimedia/sox/sox/0001-tests-Include-math.h-for-fabs-definition.patch new file mode 100644 index 00000000000..5f9135a0ee6 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/0001-tests-Include-math.h-for-fabs-definition.patch @@ -0,0 +1,33 @@ +From afe336ab63ff9b64ef759255de6b03b897dc4453 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Sun, 19 May 2024 09:09:46 -0700 +Subject: [PATCH] tests: Include math.h for fabs() definition + +Fixes build with gcc-14 + +../../sox-14.4.2/src/sox_sample_test.h:190:3: error: implicit declaration of function 'fabs' [-Wimplicit-function-declaration] + 190 | assert(fabs(d - 1) < 1e-9 && clips == 0); + | ^~~~~~ + ../../sox-14.4.2/src/sox_sample_test.h:23:1: note: include '' or provide a declaration of 'fabs' + +Upstream-Status: Pending +Signed-off-by: Khem Raj +--- + src/sox_sample_test.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/sox_sample_test.h b/src/sox_sample_test.h +index 62b55e4..17f0069 100644 +--- a/src/sox_sample_test.h ++++ b/src/sox_sample_test.h +@@ -19,6 +19,7 @@ + #undef NDEBUG /* Must undef above assert.h or other that might include it. */ + #endif + #include ++#include + #include "sox.h" + + #define TEST_UINT(bits) \ +-- +2.45.1 + diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index 011cbc2a9df..800fcad2c9e 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -30,6 +30,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \ SRC_URI = "${SOURCEFORGE_MIRROR}/sox/sox-${PV}.tar.gz \ file://0001-remove-the-error-line-and-live-without-file-type-det.patch \ file://0001-Update-exported-symbol-list.patch \ + file://0001-tests-Include-math.h-for-fabs-definition.patch \ " SRC_URI[md5sum] = "d04fba2d9245e661f245de0577f48a33" SRC_URI[sha256sum] = "b45f598643ffbd8e363ff24d61166ccec4836fea6d3888881b8df53e3bb55f6c" From c50ed524d5bb811b0ce8ff310c584a4874905975 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 16 Mar 2025 23:53:47 +0100 Subject: [PATCH 02/13] sox: extend CVE_PRODUCT Add all relevant items from queries: $ sqlite3 nvdcve_2-2.db sqlite> select vendor, product, count(*) from products where product like '%sox%' group by vendor, product; commugen|sox_365|1 libsox_project|libsox|1 sox|sox|3 sox_project|sox|10 sqlite> select vendor, product, count(*) from products where product like '%sound_exchange%' group by vendor, product; sound_exchange_project|sound_exchange|16 Signed-off-by: Peter Marko Signed-off-by: Khem Raj --- meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index 800fcad2c9e..c1edd0fad72 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -35,6 +35,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/sox/sox-${PV}.tar.gz \ SRC_URI[md5sum] = "d04fba2d9245e661f245de0577f48a33" SRC_URI[sha256sum] = "b45f598643ffbd8e363ff24d61166ccec4836fea6d3888881b8df53e3bb55f6c" +CVE_PRODUCT:append = " libsox_project:libsox sound_exchange_project:sound_exchange" + inherit autotools pkgconfig # Enable largefile support From 39ab3acfae8f8f36b52b18e2e3f711bf08930de7 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 16 Mar 2025 23:53:48 +0100 Subject: [PATCH 03/13] sox: build from git Last release was done in 2015 but development still continues. Switch to git sources to allow update. Signed-off-by: Peter Marko Signed-off-by: Khem Raj --- meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index c1edd0fad72..48dba454203 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -27,13 +27,14 @@ LICENSE = "GPL-2.0-only & LGPL-2.1-only" LIC_FILES_CHKSUM = "file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \ file://LICENSE.LGPL;md5=fbc093901857fcd118f065f900982c24" -SRC_URI = "${SOURCEFORGE_MIRROR}/sox/sox-${PV}.tar.gz \ +SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://0001-remove-the-error-line-and-live-without-file-type-det.patch \ file://0001-Update-exported-symbol-list.patch \ file://0001-tests-Include-math.h-for-fabs-definition.patch \ " -SRC_URI[md5sum] = "d04fba2d9245e661f245de0577f48a33" -SRC_URI[sha256sum] = "b45f598643ffbd8e363ff24d61166ccec4836fea6d3888881b8df53e3bb55f6c" + +SRCREV = "45b161d73ec087a8e003747b1aed07cd33589bca" +S = "${WORKDIR}/git" CVE_PRODUCT:append = " libsox_project:libsox sound_exchange_project:sound_exchange" From 16ab676f09879a0cf604df985144a8737595fda4 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 16 Mar 2025 23:53:49 +0100 Subject: [PATCH 04/13] sox: update to latest git hash Resolve many CVEs and other bugs. $ git describe --tags sox-14.4.2-184-gf3094754 $ git log -1 HEAD | grep Date: Date: Thu May 30 14:46:01 2024 +0100 Recipe changes: * removed 0001-Update-exported-symbol-list.patch this commit is included now * refreshed 0001-remove-the-error-line-and-live-without-file-type-det.patch * 0001-tests-Include-math.h-for-fabs-definition.patch affected file was deleted from sources * added autoconf-archive-native dependency for newly used AX_APPEND_COMPILE_FLAGS macro * changed some config options from with/without to enable/disable https://sourceforge.net/p/sox/code/ci/6ff0e9322f9891f5a6ac6c9b3bceffbfca16bec3/ * added +git to PV to indicate version not on hash Signed-off-by: Peter Marko Signed-off-by: Khem Raj --- .../0001-Update-exported-symbol-list.patch | 34 ------------------- ...-line-and-live-without-file-type-det.patch | 2 +- ...s-Include-math.h-for-fabs-definition.patch | 33 ------------------ .../recipes-multimedia/sox/sox_14.4.2.bb | 26 +++++++------- 4 files changed, 14 insertions(+), 81 deletions(-) delete mode 100644 meta-multimedia/recipes-multimedia/sox/sox/0001-Update-exported-symbol-list.patch delete mode 100644 meta-multimedia/recipes-multimedia/sox/sox/0001-tests-Include-math.h-for-fabs-definition.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/0001-Update-exported-symbol-list.patch b/meta-multimedia/recipes-multimedia/sox/sox/0001-Update-exported-symbol-list.patch deleted file mode 100644 index 44c6b19be04..00000000000 --- a/meta-multimedia/recipes-multimedia/sox/sox/0001-Update-exported-symbol-list.patch +++ /dev/null @@ -1,34 +0,0 @@ -From b1809d82031aa7c5bcaad58bcb4b59e082e0446e Mon Sep 17 00:00:00 2001 -From: Mans Rullgard -Date: Sun, 5 Nov 2017 15:40:16 +0000 -Subject: [PATCH] Update exported symbol list - -commit 5c58413544 ("Don't export (most) internal libsox symbols") -breaks dynamic flac builds as flac.c references lsx.error, so add it -to the list of exceptions. - -| .libs/flac.o: In function `decoder_read_callback': -| /usr/src/debug/sox/14.4.2-r0/sox-14.4.2/src/flac.c:63: undefined reference to `lsx_error' - -Upstream-Status: Backport [https://bogomips.org/sox.git ("pu" branch)] - ---- - src/Makefile.am | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index 7cceaafd..a3a04ed1 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -95,7 +95,7 @@ libsox_la_LIBADD += @GOMP_LIBS@ - - libsox_la_CFLAGS = @WARN_CFLAGS@ - libsox_la_LDFLAGS = @APP_LDFLAGS@ -version-info @SHLIB_VERSION@ \ -- -export-symbols-regex '^(sox_.*|lsx_(check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|fail_errno|filelength|find_(enum_(text|value)|file_extension)|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|realloc|rewind|seeki|sigfigs3p?|strcasecmp|tell|unreadb|write(b|_b_buf|buf|s)))$$' -+ -export-symbols-regex '^(sox_.*|lsx_(([cm]|re)alloc|check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|error|fail_errno|filelength|find_(enum_(text|value)|file_extension)|flush|getopt(_init)?|id3_read_tag|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|rewind|seeki|sigfigs3p?|strcasecmp|strdup|tell|unreadb|write(b|_b_buf|buf|s)))$$' - - if HAVE_WIN32_LTDL - libsox_la_SOURCES += win32-ltdl.c win32-ltdl.h --- -2.16.2 - diff --git a/meta-multimedia/recipes-multimedia/sox/sox/0001-remove-the-error-line-and-live-without-file-type-det.patch b/meta-multimedia/recipes-multimedia/sox/sox/0001-remove-the-error-line-and-live-without-file-type-det.patch index 3085bd495c4..15c429e515a 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox/0001-remove-the-error-line-and-live-without-file-type-det.patch +++ b/meta-multimedia/recipes-multimedia/sox/sox/0001-remove-the-error-line-and-live-without-file-type-det.patch @@ -15,7 +15,7 @@ diff --git a/src/formats.c b/src/formats.c index 724a4cda..f683a922 100644 --- a/src/formats.c +++ b/src/formats.c -@@ -422,7 +422,6 @@ static void UNUSED rewind_pipe(FILE * fp) +@@ -477,7 +477,6 @@ static void UNUSED rewind_pipe(FILE * fp) /* To fix this #error, either simply remove the #error line and live without * file-type detection with pipes, or add support for your compiler in the * lines above. Test with cat monkey.wav | ./sox --info - */ diff --git a/meta-multimedia/recipes-multimedia/sox/sox/0001-tests-Include-math.h-for-fabs-definition.patch b/meta-multimedia/recipes-multimedia/sox/sox/0001-tests-Include-math.h-for-fabs-definition.patch deleted file mode 100644 index 5f9135a0ee6..00000000000 --- a/meta-multimedia/recipes-multimedia/sox/sox/0001-tests-Include-math.h-for-fabs-definition.patch +++ /dev/null @@ -1,33 +0,0 @@ -From afe336ab63ff9b64ef759255de6b03b897dc4453 Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Sun, 19 May 2024 09:09:46 -0700 -Subject: [PATCH] tests: Include math.h for fabs() definition - -Fixes build with gcc-14 - -../../sox-14.4.2/src/sox_sample_test.h:190:3: error: implicit declaration of function 'fabs' [-Wimplicit-function-declaration] - 190 | assert(fabs(d - 1) < 1e-9 && clips == 0); - | ^~~~~~ - ../../sox-14.4.2/src/sox_sample_test.h:23:1: note: include '' or provide a declaration of 'fabs' - -Upstream-Status: Pending -Signed-off-by: Khem Raj ---- - src/sox_sample_test.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/sox_sample_test.h b/src/sox_sample_test.h -index 62b55e4..17f0069 100644 ---- a/src/sox_sample_test.h -+++ b/src/sox_sample_test.h -@@ -19,6 +19,7 @@ - #undef NDEBUG /* Must undef above assert.h or other that might include it. */ - #endif - #include -+#include - #include "sox.h" - - #define TEST_UINT(bits) \ --- -2.45.1 - diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index 48dba454203..e3c228858c2 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -4,24 +4,24 @@ and can apply different effects and filters to the audio data." HOMEPAGE = "http://sox.sourceforge.net" SECTION = "audio" -DEPENDS = "libpng libsndfile1 libtool" +DEPENDS = "autoconf-archive-native libpng libsndfile1 libtool" PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'alsa pulseaudio', d)} \ magic \ " -PACKAGECONFIG[pulseaudio] = "--with-pulseaudio=dyn,--with-pulseaudio=no,pulseaudio," -PACKAGECONFIG[alsa] = "--with-alsa=dyn,--with-alsa=no,alsa-lib," -PACKAGECONFIG[wavpack] = "--with-wavpack=dyn,--with-wavpack=no,wavpack," -PACKAGECONFIG[flac] = "--with-flac=dyn,--with-flac=no,flac," -PACKAGECONFIG[amrwb] = "--with-amrwb=dyn,--with-amrwb=no,opencore-amr," -PACKAGECONFIG[amrnb] = "--with-amrnb=dyn,--with-amrnb=no,opencore-amr," -PACKAGECONFIG[oggvorbis] = "--with-oggvorbis=dyn,--with-oggvorbis=no,libvorbis" -PACKAGECONFIG[opus] = "--with-opus=dyn,--with-opus=no,opusfile" +PACKAGECONFIG[pulseaudio] = "--enable-pulseaudio=dyn,--disable-pulseaudio,pulseaudio," +PACKAGECONFIG[alsa] = "--enable-alsa=dyn,--disable-alsa,alsa-lib," +PACKAGECONFIG[wavpack] = "--enable-wavpack=dyn,--disable-wavpack,wavpack," +PACKAGECONFIG[flac] = "--enable-flac=dyn,--disable-flac,flac," +PACKAGECONFIG[amrwb] = "--enable-amrwb=dyn,--disable-amrwb,opencore-amr," +PACKAGECONFIG[amrnb] = "--enable-amrnb=dyn,--disable-amrnb,opencore-amr," +PACKAGECONFIG[oggvorbis] = "--enable-oggvorbis=dyn,--disable-oggvorbis,libvorbis" +PACKAGECONFIG[opus] = "--enable-opus=dyn,--disable-opus,opusfile" PACKAGECONFIG[magic] = "--with-magic,--without-magic,file," PACKAGECONFIG[mad] = "--with-mad,--without-mad,libmad," PACKAGECONFIG[id3tag] = "--with-id3tag,--without-id3tag,libid3tag," PACKAGECONFIG[lame] = "--with-lame,--without-lame,lame," -PACKAGECONFIG[ao] = "--with-ao,--without-ao,libao," +PACKAGECONFIG[ao] = "--enable-ao,--disable-ao,libao," LICENSE = "GPL-2.0-only & LGPL-2.1-only" LIC_FILES_CHKSUM = "file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \ @@ -29,11 +29,11 @@ LIC_FILES_CHKSUM = "file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://0001-remove-the-error-line-and-live-without-file-type-det.patch \ - file://0001-Update-exported-symbol-list.patch \ - file://0001-tests-Include-math.h-for-fabs-definition.patch \ " -SRCREV = "45b161d73ec087a8e003747b1aed07cd33589bca" +# last release was in 2015, use latest hash from 2024-05-30 +PV .= "+git" +SRCREV = "f3094754a7c2a7e55c35621d20fa9945736e72df" S = "${WORKDIR}/git" CVE_PRODUCT:append = " libsox_project:libsox sound_exchange_project:sound_exchange" From 8831fe1b3f013e77d044b1e47546e7536740b97a Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 16 Mar 2025 23:53:50 +0100 Subject: [PATCH 05/13] sox: mark CVEs included in hash update as fixed git log sox-14.4.2..HEAD | grep -o 'CVE-[0-9-]*' | sort -u CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 CVE-2017-15371 CVE-2017-15372 CVE-2017-15642 CVE-2017-18189 CVE-2019-13590 CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 Following remaining CVEs are handled in commits: CVE-2019-1010004 - NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-1010004 - report: https://sourceforge.net/p/sox/bugs/299/ - patch: https://sourceforge.net/p/sox/code/ci/09d7388c8ad5701ed9c59d1d600ff6154b066397/ - same commit as CVE-2017-18189 as mentioned in NVD and bugreport texts - https://security-tracker.debian.org/tracker/CVE-2019-1010004 links it - it's only commit in src/xa.c in last 15 years Signed-off-by: Peter Marko Signed-off-by: Khem Raj --- meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index e3c228858c2..e8294a05afa 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -38,6 +38,14 @@ S = "${WORKDIR}/git" CVE_PRODUCT:append = " libsox_project:libsox sound_exchange_project:sound_exchange" +CVE_STATUS_GROUPS += "CVE_STATUS_HASH_UPDATE" +CVE_STATUS_HASH_UPDATE = " \ + CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 CVE-2017-15371 \ + CVE-2017-15372 CVE-2017-15642 CVE-2017-18189 CVE-2019-13590 CVE-2019-8354 \ + CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 CVE-2019-1010004 \ +" +CVE_STATUS_HASH_UPDATE[status] = "fixed-version: patched in current git hash" + inherit autotools pkgconfig # Enable largefile support From 50826423e488635a3c364dd19d3babe72f81e540 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 16 Mar 2025 23:53:51 +0100 Subject: [PATCH 06/13] sox: patch CVE-2021-3643 and CVE-2021-23210 Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-3643.patch Signed-off-by: Peter Marko Signed-off-by: Khem Raj --- .../sox/CVE-2021-3643_CVE-2021-23210.patch | 30 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch new file mode 100644 index 00000000000..f58d2fd7748 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch @@ -0,0 +1,30 @@ +From 5b9a7c0fc7054b4f16a5058eef721470e9adcfcc Mon Sep 17 00:00:00 2001 +From: Helmut Grohne +Date: Sun, 16 Mar 2025 21:16:40 +0100 +Subject: [PATCH] voc: word width should never be 0 to avoid division by zero + +Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-3643.patch + +CVE: CVE-2021-3643 +CVE: CVE-2021-23210 +Upstream-Status: Inactive-Upstream [lastrelease: 2015] +Signed-off-by: Peter Marko +--- + src/voc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/voc.c b/src/voc.c +index a75639e9..0ca07f94 100644 +--- a/src/voc.c ++++ b/src/voc.c +@@ -625,6 +625,10 @@ static int getblock(sox_format_t * ft) + v->rate = new_rate_32; + ft->signal.rate = new_rate_32; + lsx_readb(ft, &uc); ++ if (uc <= 1) { ++ lsx_fail_errno(ft, SOX_EFMT, "2 bits per word required"); ++ return (SOX_EOF); ++ } + v->size = uc; + lsx_readb(ft, &uc); + if (v->channels != -1 && uc != v->channels) { diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index e8294a05afa..a87f4de1311 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -29,6 +29,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://0001-remove-the-error-line-and-live-without-file-type-det.patch \ + file://CVE-2021-3643_CVE-2021-23210.patch \ " # last release was in 2015, use latest hash from 2024-05-30 From e8b420a5bfdeaae83addc37646a1cde73df5f5a7 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 16 Mar 2025 23:53:52 +0100 Subject: [PATCH 07/13] sox: patch CVE-2021-23159 and CVE-2021-2317 Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-23159.patch Signed-off-by: Peter Marko Signed-off-by: Khem Raj --- .../sox/CVE-2021-23159_CVE-2021-2317.patch | 31 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch new file mode 100644 index 00000000000..472e4bac60f --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch @@ -0,0 +1,31 @@ +From 8eb3afb37f80d7231a998e3074e6fc5f7bdfe4d5 Mon Sep 17 00:00:00 2001 +From: Helmut Grohne +Date: Sun, 16 Mar 2025 20:28:15 +0100 +Subject: [PATCH] hcom: validate dictsize + +Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-23159.patch + +CVE: CVE-2021-23159 +CVE: CVE-2021-23172 +Upstream-Status: Inactive-Upstream [lastrelease: 2015] +Signed-off-by: Peter Marko +--- + src/hcom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/hcom.c b/src/hcom.c +index 594c8706..9e8b03c6 100644 +--- a/src/hcom.c ++++ b/src/hcom.c +@@ -141,6 +141,11 @@ static int startread(sox_format_t * ft) + return (SOX_EOF); + } + lsx_readw(ft, &dictsize); ++ if (dictsize == 0 || dictsize > 511) ++ { ++ lsx_fail_errno(ft, SOX_EHDR, "Implausible dictionary size in HCOM header"); ++ return SOX_EOF; ++ } + + /* Translate to sox parameters */ + ft->encoding.encoding = SOX_ENCODING_HCOM; diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index a87f4de1311..bfa1d9c2d49 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -30,6 +30,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://0001-remove-the-error-line-and-live-without-file-type-det.patch \ file://CVE-2021-3643_CVE-2021-23210.patch \ + file://CVE-2021-23159_CVE-2021-2317.patch \ " # last release was in 2015, use latest hash from 2024-05-30 From 80b5f3dad30d8bd41d10edd09bc7c47a6bc5b92f Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 16 Mar 2025 23:53:53 +0100 Subject: [PATCH 08/13] sox: patch CVE-2021-33844 Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-33844.patch Signed-off-by: Peter Marko Signed-off-by: Khem Raj --- .../sox/sox/CVE-2021-33844.patch | 40 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-33844.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-33844.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-33844.patch new file mode 100644 index 00000000000..02c3edb35d3 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-33844.patch @@ -0,0 +1,40 @@ +From f2597e433afeee8ab00cf6368ec8519df34aa031 Mon Sep 17 00:00:00 2001 +From: Helmut Grohne +Date: Sun, 16 Mar 2025 23:19:43 +0100 +Subject: [PATCH] wav: reject 0 bits per sample to avoid division by zero + +Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-33844.patch + +CVE: CVE-2021-33844 +Upstream-Status: Inactive-Upstream [lastrelease: 2015] +Signed-off-by: Peter Marko +--- + src/testall.sh | 1 + + src/wav.c | 5 +++++ + 2 files changed, 6 insertions(+) + +diff --git a/src/testall.sh b/src/testall.sh +index e7398377..e1454c21 100755 +--- a/src/testall.sh ++++ b/src/testall.sh +@@ -67,3 +67,4 @@ t voc + t vox -r 8130 + t wav + t wve ++t wav -e gsm-full-rate +diff --git a/src/wav.c b/src/wav.c +index 3f6beb45..16f0bff8 100644 +--- a/src/wav.c ++++ b/src/wav.c +@@ -963,6 +963,11 @@ static int startread(sox_format_t *ft) + #endif + } + ++ if (ft->encoding.bits_per_sample == 0) ++ { ++ lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero"); ++ return SOX_EOF; ++ } + if (!wav->numSamples) + wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample) + / ft->signal.channels; diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index bfa1d9c2d49..18ca7d504df 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -31,6 +31,7 @@ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://0001-remove-the-error-line-and-live-without-file-type-det.patch \ file://CVE-2021-3643_CVE-2021-23210.patch \ file://CVE-2021-23159_CVE-2021-2317.patch \ + file://CVE-2021-33844.patch \ " # last release was in 2015, use latest hash from 2024-05-30 From 62bdd0da1da5b5a2dac98cc128ccd59bee0adc61 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 16 Mar 2025 23:53:54 +0100 Subject: [PATCH 09/13] sox: patch CVE-2021-40426 Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-40426.patch Signed-off-by: Peter Marko Signed-off-by: Khem Raj --- .../sox/sox/CVE-2021-40426.patch | 38 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-40426.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-40426.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-40426.patch new file mode 100644 index 00000000000..9e505a03a7b --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-40426.patch @@ -0,0 +1,38 @@ +From 25f686e0da423326a74fe16c603b6b6b75857fa4 Mon Sep 17 00:00:00 2001 +From: Helmut Grohne +Date: Sun, 16 Mar 2025 20:07:19 +0100 +Subject: [PATCH] sphere: avoid integer underflow + +Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-40426.patch + +CVE: CVE-2021-40426 +Upstream-Status: Inactive-Upstream [lastrelease: 2015] +Signed-off-by: Peter Marko +--- + src/sphere.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/sphere.c b/src/sphere.c +index a3fd1c64..9544d160 100644 +--- a/src/sphere.c ++++ b/src/sphere.c +@@ -63,7 +63,8 @@ static int start_read(sox_format_t * ft) + return (SOX_EOF); + } + +- header_size -= (strlen(buf) + 1); ++ bytes_read = strlen(buf); ++ header_size -= bytes_read >= header_size ? header_size : bytes_read + 1; + + while (strncmp(buf, "end_head", (size_t)8) != 0) { + if (strncmp(buf, "sample_n_bytes", (size_t)14) == 0) +@@ -105,7 +106,8 @@ static int start_read(sox_format_t * ft) + return (SOX_EOF); + } + +- header_size -= (strlen(buf) + 1); ++ bytes_read = strlen(buf); ++ header_size -= bytes_read >= header_size ? header_size : bytes_read + 1; + } + + if (!bytes_per_sample) diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index 18ca7d504df..022a2d6b594 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -32,6 +32,7 @@ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://CVE-2021-3643_CVE-2021-23210.patch \ file://CVE-2021-23159_CVE-2021-2317.patch \ file://CVE-2021-33844.patch \ + file://CVE-2021-40426.patch \ " # last release was in 2015, use latest hash from 2024-05-30 From babf7426c8111b9c52fc133d9c3ca714d2b6a14d Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 16 Mar 2025 23:53:55 +0100 Subject: [PATCH 10/13] sox: patch CVE-2022-31650 Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31650.patch Signed-off-by: Peter Marko Signed-off-by: Khem Raj --- .../sox/sox/CVE-2022-31650.patch | 60 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 61 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31650.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31650.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31650.patch new file mode 100644 index 00000000000..41baad0e277 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31650.patch @@ -0,0 +1,60 @@ +From 3a8e783c58499bb52052c671b9161c43e011a508 Mon Sep 17 00:00:00 2001 +From: Helmut Grohne +Date: Sun, 16 Mar 2025 20:08:04 +0100 +Subject: [PATCH] formats+aiff: reject implausibly large number of channels + +Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31650.patch + +CVE: CVE-2022-31650 +Upstream-Status: Inactive-Upstream [lastrelease: 2015] +Signed-off-by: Peter Marko +--- + src/aiff.c | 5 +++++ + src/formats_i.c | 10 ++++++++-- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/aiff.c b/src/aiff.c +index 3a152c58..6de94f32 100644 +--- a/src/aiff.c ++++ b/src/aiff.c +@@ -619,6 +619,11 @@ int lsx_aiffstartwrite(sox_format_t * ft) + At 48 kHz, 16 bits stereo, this gives ~3 hours of audio. + Sorry, the AIFF format does not provide for an indefinite + number of samples. */ ++ if (ft->signal.channels >= (0x7f000000 / (ft->encoding.bits_per_sample >> 3))) ++ { ++ lsx_fail_errno(ft, SOX_EOF, "too many channels for AIFF header"); ++ return SOX_EOF; ++ } + return(aiffwriteheader(ft, (uint64_t) 0x7f000000 / ((ft->encoding.bits_per_sample>>3)*ft->signal.channels))); + } + +diff --git a/src/formats_i.c b/src/formats_i.c +index 7048040d..6a7c27e3 100644 +--- a/src/formats_i.c ++++ b/src/formats_i.c +@@ -19,6 +19,7 @@ + */ + + #include "sox_i.h" ++#include + #include + #include + #include +@@ -60,9 +61,14 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels, + if (ft->seekable) + ft->data_start = lsx_tell(ft); + +- if (channels && ft->signal.channels && ft->signal.channels != channels) ++ if (channels && ft->signal.channels && ft->signal.channels != channels) { + lsx_warn("`%s': overriding number of channels", ft->filename); +- else ft->signal.channels = channels; ++ } else if (channels > SHRT_MAX) { ++ lsx_fail_errno(ft, EINVAL, "implausibly large number of channels"); ++ return SOX_EOF; ++ } else { ++ ft->signal.channels = channels; ++ } + + if (rate && ft->signal.rate && ft->signal.rate != rate) + lsx_warn("`%s': overriding sample rate", ft->filename); diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index 022a2d6b594..e66c10a56d5 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -33,6 +33,7 @@ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://CVE-2021-23159_CVE-2021-2317.patch \ file://CVE-2021-33844.patch \ file://CVE-2021-40426.patch \ + file://CVE-2022-31650.patch \ " # last release was in 2015, use latest hash from 2024-05-30 From 2fc3abfb8b5e7f08230126f837ebd5f82f43ace2 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 16 Mar 2025 23:53:56 +0100 Subject: [PATCH 11/13] sox: patch CVE-2022-31651 Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31651.patch Signed-off-by: Peter Marko Signed-off-by: Khem Raj --- .../sox/sox/CVE-2022-31651.patch | 36 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31651.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31651.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31651.patch new file mode 100644 index 00000000000..853a69d2101 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31651.patch @@ -0,0 +1,36 @@ +From db9641ce748bdfb465fdfa9b7794de2f8da0a249 Mon Sep 17 00:00:00 2001 +From: Helmut Grohne +Date: Sun, 16 Mar 2025 20:08:13 +0100 +Subject: [PATCH] formats: reject implausible rate + +Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31651.patch + +CVE: CVE-2022-31651 +Upstream-Status: Inactive-Upstream [lastrelease: 2015] +Signed-off-by: Peter Marko +--- + src/formats_i.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/formats_i.c b/src/formats_i.c +index 6a7c27e3..5f5ef979 100644 +--- a/src/formats_i.c ++++ b/src/formats_i.c +@@ -70,9 +70,15 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels, + ft->signal.channels = channels; + } + +- if (rate && ft->signal.rate && ft->signal.rate != rate) ++ if (rate && ft->signal.rate && ft->signal.rate != rate) { + lsx_warn("`%s': overriding sample rate", ft->filename); +- else ft->signal.rate = rate; ++ /* Since NaN comparisons yield false, the negation rejects them. */ ++ } else if (!(rate > 0)) { ++ lsx_fail_errno(ft, EINVAL, "invalid rate value"); ++ return SOX_EOF; ++ } else { ++ ft->signal.rate = rate; ++ } + + if (encoding && ft->encoding.encoding && ft->encoding.encoding != encoding) + lsx_warn("`%s': overriding encoding type", ft->filename); diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index e66c10a56d5..94072cb35a7 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -34,6 +34,7 @@ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://CVE-2021-33844.patch \ file://CVE-2021-40426.patch \ file://CVE-2022-31650.patch \ + file://CVE-2022-31651.patch \ " # last release was in 2015, use latest hash from 2024-05-30 From 1b6a546f932a84121f81eaec9f6d825290b6e288 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 16 Mar 2025 23:53:57 +0100 Subject: [PATCH 12/13] sox: patch CVE-2023-32627 Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/0028-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch Signed-off-by: Peter Marko Signed-off-by: Khem Raj --- .../sox/sox/CVE-2023-32627.patch | 30 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2023-32627.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2023-32627.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2023-32627.patch new file mode 100644 index 00000000000..b4e9994eabd --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2023-32627.patch @@ -0,0 +1,30 @@ +From b0b7e7fa7a48485c4d6b0ae64bfddedd519716f5 Mon Sep 17 00:00:00 2001 +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Sun, 16 Mar 2025 23:25:15 +0100 +Subject: [PATCH] CVE-2023-32627 Filter null sampling rate in VOC coder + +Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/0028-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch + +CVE: CVE-2023-32627 +Upstream-Status: Inactive-Upstream [lastrelease: 2015] +Signed-off-by: Peter Marko +--- + src/voc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/voc.c b/src/voc.c +index 0ca07f94..d8b982c5 100644 +--- a/src/voc.c ++++ b/src/voc.c +@@ -353,6 +353,11 @@ static size_t read_samples(sox_format_t * ft, sox_sample_t * buf, + v->block_remaining = 0; + return done; + } ++ if(uc == 0) { ++ lsx_fail_errno(ft, EINVAL, "invalid rate value"); ++ v->block_remaining = 0; ++ return done; ++ } + *buf = SOX_UNSIGNED_8BIT_TO_SAMPLE(uc,); + lsx_adpcm_init(&v->adpcm, 6 - v->size, SOX_SAMPLE_TO_SIGNED_16BIT(*buf, ft->clips)); + ++buf; diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index 94072cb35a7..7856407c676 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -35,6 +35,7 @@ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://CVE-2021-40426.patch \ file://CVE-2022-31650.patch \ file://CVE-2022-31651.patch \ + file://CVE-2023-32627.patch \ " # last release was in 2015, use latest hash from 2024-05-30 From 1ad2d84cfdcf7cc151cadf3ef72b7182e1ff3ca4 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 16 Mar 2025 23:53:58 +0100 Subject: [PATCH 13/13] sox: mark CVE-2023-34432 as patched Patch for CVE-2021-23159 fixes also this CVE. Stated by: * https://security-tracker.debian.org/tracker/CVE-2023-34432 * https://sourceforge.net/p/sox/bugs/367/ Signed-off-by: Peter Marko Signed-off-by: Khem Raj --- .../sox/sox/CVE-2021-23159_CVE-2021-2317.patch | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch index 472e4bac60f..df27cbcd655 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch @@ -7,6 +7,7 @@ Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git2 CVE: CVE-2021-23159 CVE: CVE-2021-23172 +CVE: CVE-2023-34432 Upstream-Status: Inactive-Upstream [lastrelease: 2015] Signed-off-by: Peter Marko ---