Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 533296 (CVE-2014-8145) - <media-sound/sox-14.4.2: input sanitization errors
Summary: <media-sound/sox-14.4.2: input sanitization errors
Status: RESOLVED FIXED
Alias: CVE-2014-8145
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-22 14:26 UTC by Agostino Sarubbo
Modified: 2016-12-11 23:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-22 14:26:17 UTC
From ${URL} :

#2014-010 SoX input sanitization errors

Description:

The SoX project is an open source tool for sound processing.

The sox command line tool is affected by two heap-based buffer overflows,
respectively located in functions start_read() and AdpcmReadBlock().

A specially crafted wav file can be used to trigger the vulnerabilities.

Affected version:

SoX <= 14.4.1

Fixed version:

SoX > 14.4.1

Credit: vulnerability report received from the Google Security Team.

CVE: CVE-2014-8145

Timeline:

2014-11-20: vulnerability report received
2014-12-02: contacted maintainer
2014-12-13: patch provided by maintainer
2014-12-14: reporter confirms patch
2014-12-15: contacted affected vendors
2014-12-18: assigned CVE
2014-12-22: advisory release


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev 2016-11-23 00:46:35 UTC
@ Maintainer(s): Please cleanup and drop =media-sound/sox-14.4.1
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-12-05 02:09:34 UTC
Please clean...
Comment 3 Tim Harder gentoo-dev 2016-12-10 20:52:11 UTC
(In reply to Aaron Bauman from comment #2)
> Please clean...

Done.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-12-11 23:58:27 UTC
This issue was resolved and addressed in
 GLSA 201612-30 at https://security.gentoo.org/glsa/201612-30
by GLSA coordinator Kristian Fiskerstrand (K_F).