首页 发现 帮助
注册 登录
PUBLIC_REPOS
/
buildroot
镜像自地址 git://git.buildroot.net/buildroot
2
1
派生 0
文件
浏览代码

package/sox: add fix for CVE-2021-40426

The patch comes from Debian. The CVEs are not reported by pkg-stats
because the NVD database has associated it to the
libsox_project:libsox vendor/product CPE. This has been reported to
NVD:

  https://lore.kernel.org/buildroot/20250517220322.4da9bdb3@windsurf/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Thomas Petazzoni 2 月之前
父节点
14aa0f5ec1
当前提交
1c1ee69fa7
共有 2 个文件被更改,包括 47 次插入0 次删除
分列视图 显示文件统计
  1. 42 0
      package/sox/0008-phere-avoid-integer-underflow.patch
  2. 5 0
      package/sox/sox.mk

+ 42 - 0
package/sox/0008-phere-avoid-integer-underflow.patch
查看文件 

@@ -0,0 +1,42 @@
 
+From c49c81a3c4409e7c1979ec8cb341fb0c57220616 Mon Sep 17 00:00:00 2001
 
+From: Helmut Grohne <helmut@subdivi.de>
 
+Date: Sat, 17 May 2025 22:48:05 +0200
 
+Subject: [PATCH] phere: avoid integer underflow
 
+
 
+Link: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1434
 
+Bug: https://sourceforge.net/p/sox/bugs/362/
 
+Bug-Debian: https://bugs.debian.org/1012138
 
+
 
+Upstream: https://sourceforge.net/p/sox/bugs/362/
 
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 
+---
 
+ src/sphere.c | 6 ++++--
 
+ 1 file changed, 4 insertions(+), 2 deletions(-)
 
+
 
+diff --git a/src/sphere.c b/src/sphere.c
 
+index a3fd1c64..9544d160 100644
 
+--- a/src/sphere.c
 
++++ b/src/sphere.c
 
+@@ -63,7 +63,8 @@ static int start_read(sox_format_t * ft)
 
+     return (SOX_EOF);
 
+   }
 
+ 
+-  header_size -= (strlen(buf) + 1);
 
++  bytes_read = strlen(buf);
 
++  header_size -= bytes_read >= header_size ? header_size : bytes_read + 1;
 
+ 
+   while (strncmp(buf, "end_head", (size_t)8) != 0) {
 
+     if (strncmp(buf, "sample_n_bytes", (size_t)14) == 0)
 
+@@ -105,7 +106,8 @@ static int start_read(sox_format_t * ft)
 
+       return (SOX_EOF);
 
+     }
 
+ 
+-    header_size -= (strlen(buf) + 1);
 
++    bytes_read = strlen(buf);
 
++    header_size -= bytes_read >= header_size ? header_size : bytes_read + 1;
 
+   }
 
+ 
+   if (!bytes_per_sample)
 
+-- 
+2.49.0
 
+

+ 5 - 0
package/sox/sox.mk
查看文件 

@@ -69,6 +69,11 @@ SOX_IGNORE_CVES += CVE-2021-3643 CVE-2021-23210
 
 # due to the change of CPE ID to sox_project:sox in the NVD database
 
 SOX_IGNORE_CVES += CVE-2021-23159 CVE-2021-23172 CVE-2023-34318
 
 
+# 0008-phere-avoid-integer-underflow.patch
 
+# This entry is NOT stale, those CVEs are not reported by pkg-stats
 
+# due to the change of CPE ID to libsox_project:libsox in the NVD database
 
+SOX_IGNORE_CVES += CVE-2021-40426
 
+
 
 SOX_CONF_OPTS = \
 
 	--with-distro="Buildroot" \
 
 	--disable-stack-protector