Startsida Utforska Hjälp
Logga in
PUBLIC_REPOS
/
buildroot
spegling av git://git.buildroot.net/buildroot
2
1
Fork 0
Filer
Bläddra i källkod

package/sox: add fix for CVE-2021-3643 CVE-2021-23210

This fix is included in Debian's sox package. The CVE is not reported
by pkg-stats because the NVD database has associated it to the
sox_project:sox vendor/product CPE. This has been reported to NVD:

  https://lore.kernel.org/buildroot/20250517220322.4da9bdb3@windsurf/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Thomas Petazzoni 2 månader sedan
förälder
aea1dd9b20
incheckning
b93b80245d
2 ändrade filer med 39 tillägg och 0 borttagningar
Delad Vy Visa Diff Statistik
  1. 34 0
      package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch
  2. 5 0
      package/sox/sox.mk

+ 34 - 0
package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch
Visa fil 

@@ -0,0 +1,34 @@
 
+From ad8ecfbdd9ff184b60600a115247a6aa947d0215 Mon Sep 17 00:00:00 2001
 
+From: Helmut Grohne <helmut@subdivi.de>
 
+Date: Sat, 17 May 2025 22:10:00 +0200
 
+Subject: [PATCH] voc: word width should never be 0 to avoid division by zero
 
+
 
+Bug: https://sourceforge.net/p/sox/bugs/351/
 
+Bug-Debian: https://bugs.debian.org/1010374
 
+
 
+This patch fixes both CVE-2021-3643 and CVE-2021-23210.
 
+
 
+Upstream: https://sourceforge.net/p/sox/bugs/351/
 
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 
+---
 
+ src/voc.c | 4 ++++
 
+ 1 file changed, 4 insertions(+)
 
+
 
+diff --git a/src/voc.c b/src/voc.c
 
+index a75639e9..0ca07f94 100644
 
+--- a/src/voc.c
 
++++ b/src/voc.c
 
+@@ -625,6 +625,10 @@ static int getblock(sox_format_t * ft)
 
+         v->rate = new_rate_32;
 
+         ft->signal.rate = new_rate_32;
 
+         lsx_readb(ft, &uc);
 
++        if (uc <= 1) {
 
++          lsx_fail_errno(ft, SOX_EFMT, "2 bits per word required");
 
++          return (SOX_EOF);
 
++        }
 
+         v->size = uc;
 
+         lsx_readb(ft, &uc);
 
+         if (v->channels != -1 && uc != v->channels) {
 
+-- 
+2.49.0
 
+

+ 5 - 0
package/sox/sox.mk
Visa fil 

@@ -59,6 +59,11 @@ SOX_IGNORE_CVES += CVE-2019-8357
 
 # sox-14.4.2-44-g7b6a8892
 
 SOX_IGNORE_CVES += CVE-2019-13590
 
 
+# 0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch
 
+# This entry is NOT stale, those CVEs are not reported by pkg-stats
 
+# due to the change of CPE ID to sox_project:sox in the NVD database
 
+SOX_IGNORE_CVES += CVE-2021-3643 CVE-2021-23210
 
+
 
 SOX_CONF_OPTS = \
 
 	--with-distro="Buildroot" \
 
 	--disable-stack-protector