Inicio Explorar Axuda
Rexistro Iniciar sesión
PUBLIC_REPOS
/
buildroot
réplica de git://git.buildroot.net/buildroot
2
1
Fork 0
Ficheiros
Explorar o código

package/sox: add fix for CVE-2021-23159, CVE-2021-23172, CVE-2023-34318

This fix is integrated in Debian. The CVEs are not reported by pkg-stats
because the NVD database has associated it to the sox_project:sox
vendor/product CPE. This has been reported to NVD:

  https://lore.kernel.org/buildroot/20250517220322.4da9bdb3@windsurf/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Thomas Petazzoni hai 2 meses
pai
b93b80245d
achega
14aa0f5ec1
Modificáronse 2 ficheiros con 43 adicións e 0 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 38 0
      package/sox/0007-hcom-validate-dictsize.patch
  2. 5 0
      package/sox/sox.mk

+ 38 - 0
package/sox/0007-hcom-validate-dictsize.patch
Ver ficheiro 

@@ -0,0 +1,38 @@
 
+From 54455f59305d9ce94cc73100bc2dd542865fed4b Mon Sep 17 00:00:00 2001
 
+From: Helmut Grohne <helmut@subdivi.de>
 
+Date: Sat, 17 May 2025 22:33:16 +0200
 
+Subject: [PATCH] hcom: validate dictsize
 
+
 
+Bug: https://sourceforge.net/p/sox/bugs/350/
 
+Bug: https://sourceforge.net/p/sox/bugs/352/
 
+Bug-Debian: https://bugs.debian.org/1021133
 
+Bug-Debian: https://bugs.debian.org/1021134
 
+
 
+This patch fixes both CVE-2021-23159 and CVE-2021-23172.
 
+
 
+Upstream: https://sourceforge.net/p/sox/bugs/350/
 
+Upstream: https://sourceforge.net/p/sox/bugs/352/
 
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 
+---
 
+ src/hcom.c | 5 +++++
 
+ 1 file changed, 5 insertions(+)
 
+
 
+diff --git a/src/hcom.c b/src/hcom.c
 
+index 594c8706..9e8b03c6 100644
 
+--- a/src/hcom.c
 
++++ b/src/hcom.c
 
+@@ -141,6 +141,11 @@ static int startread(sox_format_t * ft)
 
+                 return (SOX_EOF);
 
+         }
 
+         lsx_readw(ft, &dictsize);
 
++        if (dictsize == 0 || dictsize > 511)
 
++        {
 
++                lsx_fail_errno(ft, SOX_EHDR, "Implausible dictionary size in HCOM header");
 
++                return SOX_EOF;
 
++        }
 
+ 
+         /* Translate to sox parameters */
 
+         ft->encoding.encoding = SOX_ENCODING_HCOM;
 
+-- 
+2.49.0
 
+

+ 5 - 0
package/sox/sox.mk
Ver ficheiro 

@@ -64,6 +64,11 @@ SOX_IGNORE_CVES += CVE-2019-13590
 
 # due to the change of CPE ID to sox_project:sox in the NVD database
 
 SOX_IGNORE_CVES += CVE-2021-3643 CVE-2021-23210
 
 
+# 0007-hcom-validate-dictsize.patch
 
+# This entry is NOT stale, those CVEs are not reported by pkg-stats
 
+# due to the change of CPE ID to sox_project:sox in the NVD database
 
+SOX_IGNORE_CVES += CVE-2021-23159 CVE-2021-23172 CVE-2023-34318
 
+
 
 SOX_CONF_OPTS = \
 
 	--with-distro="Buildroot" \
 
 	--disable-stack-protector