CVE-2017-11358 (https://nvd.nist.gov/vuln/detail/CVE-2017-11358): The read_samples function in hcom.c in Sound eXchange (SoX) 14.4.2 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted hcom file. References: http://seclists.org/fulldisclosure/2017/Jul/81
Still unfixed upstream.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab144c7631ebe685ffec603e48824403fcd00cdd commit ab144c7631ebe685ffec603e48824403fcd00cdd Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2018-06-10 23:45:11 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2018-06-11 00:04:20 +0000 media-sound/sox: A truckload of security Kindly provided by Debian packaging... Bug: https://bugs.gentoo.org/627570 Bug: https://bugs.gentoo.org/626702 Bug: https://bugs.gentoo.org/634814 Bug: https://bugs.gentoo.org/634450 Package-Manager: Portage-2.3.40, Repoman-2.3.9 .../sox/files/sox-14.4.2-CVE-2017-11332.patch | 25 ++++++ .../sox/files/sox-14.4.2-CVE-2017-11333.patch | 43 ++++++++++ .../sox/files/sox-14.4.2-CVE-2017-11358.patch | 26 ++++++ .../sox/files/sox-14.4.2-CVE-2017-11359.patch | 27 ++++++ .../sox/files/sox-14.4.2-CVE-2017-15370.patch | 25 ++++++ .../sox/files/sox-14.4.2-CVE-2017-15371.patch | 37 +++++++++ .../sox/files/sox-14.4.2-CVE-2017-15372.patch | 97 ++++++++++++++++++++++ .../sox/files/sox-14.4.2-CVE-2017-15642.patch | 28 +++++++ .../sox/files/sox-14.4.2-CVE-2017-18189.patch | 30 +++++++ .../sox-14.4.2-wavpack-chk-errors-on-init.patch | 35 ++++++++ media-sound/sox/sox-14.4.2-r1.ebuild | 13 +++ 11 files changed, 386 insertions(+)
sound is done here, anyway...
GLSA Vote: Yes Arches and Maintainer(s). Thank you for your work.
This issue was resolved and addressed in GLSA 201810-02 at https://security.gentoo.org/glsa/201810-02 by GLSA coordinator Aaron Bauman (b-man).
