Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
PUBLIC_REPOS
/
buildroot
spogulis no git://git.buildroot.net/buildroot
2
1
Atdalīts 0
Faili
Pārlūkot izejas kodu

package/sox: add fix for CVE-2022-31651

Patch comes from Debian. The CVEs are not reported by pkg-stats
because the NVD database has associated it to the sox_project:sox
vendor/product CPE. This has been reported to NVD:

  https://lore.kernel.org/buildroot/20250517220322.4da9bdb3@windsurf/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Thomas Petazzoni 2 mēneši atpakaļ
vecāks
34cb164b7e
revīzija
c678e334e0
2 mainītis faili ar 44 papildinājumiem un 0 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 39 0
      package/sox/0010-formats-reject-implausible-rate.patch
  2. 5 0
      package/sox/sox.mk

+ 39 - 0
package/sox/0010-formats-reject-implausible-rate.patch
Parādīt failu 

@@ -0,0 +1,39 @@
 
+From 6af0a8b32df4d7a83fd52a963a20e6e321f10fd6 Mon Sep 17 00:00:00 2001
 
+From: Helmut Grohne <helmut@subdivi.de>
 
+Date: Sat, 17 May 2025 23:05:33 +0200
 
+Subject: [PATCH] formats: reject implausible rate
 
+
 
+Bug: https://sourceforge.net/p/sox/bugs/360/
 
+Bug-Debian: https://bugs.debian.org/1012516
 
+
 
+Upstream: https://sourceforge.net/p/sox/bugs/360/
 
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 
+---
 
+ src/formats_i.c | 10 ++++++++--
 
+ 1 file changed, 8 insertions(+), 2 deletions(-)
 
+
 
+diff --git a/src/formats_i.c b/src/formats_i.c
 
+index 6a7c27e3..5f5ef979 100644
 
+--- a/src/formats_i.c
 
++++ b/src/formats_i.c
 
+@@ -70,9 +70,15 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels,
 
+     ft->signal.channels = channels;
 
+   }
 
+ 
+-  if (rate && ft->signal.rate && ft->signal.rate != rate)
 
++  if (rate && ft->signal.rate && ft->signal.rate != rate) {
 
+     lsx_warn("`%s': overriding sample rate", ft->filename);
 
+-  else ft->signal.rate = rate;
 
++  /* Since NaN comparisons yield false, the negation rejects them. */
 
++  } else if (!(rate > 0)) {
 
++    lsx_fail_errno(ft, EINVAL, "invalid rate value");
 
++    return SOX_EOF;
 
++  } else {
 
++    ft->signal.rate = rate;
 
++  }
 
+ 
+   if (encoding && ft->encoding.encoding && ft->encoding.encoding != encoding)
 
+     lsx_warn("`%s': overriding encoding type", ft->filename);
 
+-- 
+2.49.0
 
+

+ 5 - 0
package/sox/sox.mk
Parādīt failu 

@@ -79,6 +79,11 @@ SOX_IGNORE_CVES += CVE-2021-40426
 
 # due to the change of CPE ID to sox_project:sox in the NVD database
 
 SOX_IGNORE_CVES += CVE-2022-31650 CVE-2023-26590
 
 
+# 0010-formats-reject-implausible-rate.patch
 
+# This entry is NOT stale, those CVEs are not reported by pkg-stats
 
+# due to the change of CPE ID to sox_project:sox in the NVD database
 
+SOX_IGNORE_CVES += CVE-2022-31651
 
+
 
 SOX_CONF_OPTS = \
 
 	--with-distro="Buildroot" \
 
 	--disable-stack-protector