Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626702 (CVE-2017-11332, CVE-2017-11359) - <media-sound/sox-14.4.2-r1: multiple vulnerabilities
Summary: <media-sound/sox-14.4.2-r1: multiple vulnerabilities
Alias: CVE-2017-11332, CVE-2017-11359
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa+ cve]
Depends on: CVE-2017-15642
  Show dependency tree
Reported: 2017-07-31 13:14 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2018-10-06 17:01 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-31 13:14:30 UTC
From URL:

SoX is a cross-platform (Windows, Linux, MacOS X, etc.) command line utility that can convert various formats of 
computer audio files in to other formats. It can also apply various effects to these sound files, and, as an added 
bonus, SoX can play and record audio files on most platforms.

Affected version:

Vulnerability Description:
the startread function in wav.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(divide-by-zero error and 
application crash) via a crafted wav file.

./sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg

----debug info:----
Program received signal SIGFPE, Arithmetic exception.
0x00007ffff7b9c829 in startread (ft=0x611540) at wav.c:950
950        wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample) / ft->signal.channels;
(gdb) disassemble 0x00007ffff7b9c829,0x00007ffff7b9c8ff
Dump of assembler code from 0x7ffff7b9c829 to 0x7ffff7b9c8ff:
=> 0x00007ffff7b9c829 <startread+1577>:div    %rcx
   0x00007ffff7b9c82c <startread+1580>:mov    %rax,0x0(%rbp)
   0x00007ffff7b9c830 <startread+1584>:imul   %rcx,%rax
   0x00007ffff7b9c834 <startread+1588>:mov    %rax,0x18(%rbx)
   0x00007ffff7b9c838 <startread+1592>:mov    0x28(%rbp),%r8d
   0x00007ffff7b9c83c <startread+1596>:test   %r8d,%r8d
   0x00007ffff7b9c83f <startread+1599>:je     0x7ffff7b9c849 <startread+1609>
   0x00007ffff7b9c841 <startread+1601>:movq   $0x0,0x18(%rbx)
   0x00007ffff7b9c849 <startread+1609>:mov    %r9d,0x14(%rsp)
   0x00007ffff7b9c84e <startread+1614>:mov    %edi,0x10(%rsp)
   0x00007ffff7b9c852 <startread+1618>:callq  0x7ffff7b50390 <sox_get_globals@plt>
   0x00007ffff7b9c857 <startread+1623>:cmpw   $0x1,0x22(%rsp)
   0x00007ffff7b9c85d <startread+1629>:lea    0x241fa(%rip),%rdx        # 0x7ffff7bc0a5e
   0x00007ffff7b9c864 <startread+1636>:mov    0x10(%rsp),%edi
   0x00007ffff7b9c868 <startread+1640>:mov    0x30(%rsp),%r8d
   0x00007ffff7b9c86d <startread+1645>:lea    0x1de3a(%rip),%rcx        # 0x7ffff7bba6ae
   0x00007ffff7b9c874 <startread+1652>:mov    %rdx,0x40(%rax)
   0x00007ffff7b9c878 <startread+1656>:lea    0x115e7(%rip),%rax        # 0x7ffff7bade66
---Type <return> to continue, or q <return> to quit---q
End of assembler dump.
(gdb) i r
rax            0x5371335
rbx            0x6115406362432
rcx            0x00
rdx            0x00
rsi            0x88
rdi            0x11
rbp            0x611a600x611a60
rsp            0x7fffffffdc000x7fffffffdc00
r8             0x7ffff7fce7c0140737353934784
r9             0x00
r10            0x7fffffffd9c0140737488345536
r11            0x7ffff72cca80140737340295808
r12            0x5371335
r13            0x7fffffffdc50140737488346192
r14            0x7fffffffdc40140737488346176
r15            0x00
rip            0x7ffff7b9c8290x7ffff7b9c829 <startread+1577>
eflags         0x10246[ PF ZF IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
gs             0x00


the read_samples function in hcom.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(invalid memory read and 
application crash) via a crafted hcom file.

./sox sox_14.4.2_invalid_memory_read.hcom out.wav

----debug info:----
Program received signal SIGSEGV, Segmentation fault.
read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215
215                if(p->dictionary[p->dictentry].dict_leftson < 0) {
(gdb) bt
#0  read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215
#1  0x00007ffff7b58409 in sox_read (ft=ft@entry=0x611590, buf=<optimized out>, 
    len=8192) at formats.c:978
#2  0x0000000000409dd4 in sox_read_wide (ft=0x611590, buf=<optimized out>, 
    max=<optimized out>) at sox.c:490
#3  0x000000000040a32e in combiner_drain (effp=0x614410, obuf=0x6145f0, 
    osamp=0x7fffffffdbb0) at sox.c:552
#4  0x00007ffff7b68c0d in drain_effect (n=0, chain=0x614260) at effects.c:352
#5  sox_flow_effects (chain=0x614260, 
    callback=callback@entry=0x405a80 <update_status>, 
    client_data=client_data@entry=0x0) at effects.c:445
#6  0x0000000000407bf6 in process () at sox.c:1802
#7  0x0000000000403085 in main (argc=3, argv=0x7fffffffdf98) at sox.c:3008
(gdb) disassemble 
Dump of assembler code for function read_samples:
   0x00007ffff7b93900 <+0>:push   %r15
   0x00007ffff7b93902 <+2>:push   %r14
   0x00007ffff7b93904 <+4>:mov    %rsi,%r14
   0x00007ffff7b93907 <+7>:push   %r13
   0x00007ffff7b93909 <+9>:push   %r12
   0x00007ffff7b9390b <+11>:push   %rbp
   0x00007ffff7b9390c <+12>:push   %rbx
   0x00007ffff7b9390d <+13>:mov    %rdi,%rbx
   0x00007ffff7b93910 <+16>:sub    $0x28,%rsp
   0x00007ffff7b93914 <+20>:mov    0x2d0(%rdi),%r15
   0x00007ffff7b9391b <+27>:mov    0x24(%r15),%esi
   0x00007ffff7b9391f <+31>:test   %esi,%esi
   0x00007ffff7b93921 <+33>:js     0x7ffff7b93a60 <read_samples+352>
   0x00007ffff7b93927 <+39>:mov    0x10(%r15),%rdi
   0x00007ffff7b9392b <+43>:xor    %eax,%eax
   0x00007ffff7b9392d <+45>:lea    (%rax,%rdx,1),%r13d
   0x00007ffff7b93931 <+49>:lea    0x28(%r15),%rbp
   0x00007ffff7b93935 <+53>:mov    %rdx,%r12
   0x00007ffff7b93938 <+56>:lea    0x1(%r13),%eax
   0x00007ffff7b9393c <+60>:mov    %eax,0xc(%rsp)
   0x00007ffff7b93940 <+64>:mov    %r13d,%eax
   0x00007ffff7b93943 <+67>:mov    %r12d,0x8(%rsp)
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7b93948 <+72>:sub    %r12d,%eax
   0x00007ffff7b9394b <+75>:mov    %eax,(%rsp)
   0x00007ffff7b9394e <+78>:jmp    0x7ffff7b93989 <read_samples+137>
   0x00007ffff7b93950 <+80>:lea    -0x1(%rax),%r8d
   0x00007ffff7b93954 <+84>:movslq 0x20(%r15),%rax
   0x00007ffff7b93958 <+88>:mov    0x28(%r15),%edx
   0x00007ffff7b9395c <+92>:mov    (%r15),%rsi
   0x00007ffff7b9395f <+95>:shl    $0x4,%rax
   0x00007ffff7b93963 <+99>:test   %edx,%edx
   0x00007ffff7b93965 <+101>:js     0x7ffff7b939e0 <read_samples+224>
   0x00007ffff7b93967 <+103>:movswq 0x8(%rsi,%rax,1),%rax
   0x00007ffff7b9396d <+109>:mov    %eax,0x20(%r15)
   0x00007ffff7b93971 <+113>:shl    $0x4,%rax
   0x00007ffff7b93975 <+117>:add    %edx,%edx
   0x00007ffff7b93977 <+119>:mov    %r8d,0x24(%r15)
   0x00007ffff7b9397b <+123>:add    %rsi,%rax
   0x00007ffff7b9397e <+126>:mov    %edx,0x28(%r15)
=> 0x00007ffff7b93982 <+130>:cmpw   $0x0,0x8(%rax)
   0x00007ffff7b93987 <+135>:js     0x7ffff7b939f0 <read_samples+240>
   0x00007ffff7b93989 <+137>:test   %rdi,%rdi
   0x00007ffff7b9398c <+140>:jle    0x7ffff7b93a48 <read_samples+328>
   0x00007ffff7b93992 <+146>:mov    0x24(%r15),%eax
   0x00007ffff7b93996 <+150>:test   %eax,%eax
---Type <return> to continue, or q <return> to quit---q
(gdb) i r
rax            0x631b306495024
rbx            0x6115906362512
rcx            0x11
rdx            0x6900006881280
rsi            0x611b206363936
rdi            0x5241316
rbp            0x611ad80x611ad8
rsp            0x7fffffffda300x7fffffffda30
r8             0x1016
r9             0x7ffff7fce7c0140737353934784
r10            0x7fffffffd7f0140737488345072
r11            0x7ffff72cb2e0140737340289760
r12            0x1ff98185
r13            0x20008192
r14            0x61460c6374924
r15            0x611ab06363824
rip            0x7ffff7b939820x7ffff7b93982 <read_samples+130>
eflags         0x10206[ PF IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---q
(gdb) x/20x $rax+8
0x631b38:Cannot access memory at address 0x631b38
Comment 1 Larry the Git Cow gentoo-dev 2018-06-11 00:04:43 UTC
The bug has been referenced in the following commit(s):

commit ab144c7631ebe685ffec603e48824403fcd00cdd
Author:     Andreas Sturmlechner <>
AuthorDate: 2018-06-10 23:45:11 +0000
Commit:     Andreas Sturmlechner <>
CommitDate: 2018-06-11 00:04:20 +0000

    media-sound/sox: A truckload of security
    Kindly provided by Debian packaging...
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 .../sox/files/sox-14.4.2-CVE-2017-11332.patch      | 25 ++++++
 .../sox/files/sox-14.4.2-CVE-2017-11333.patch      | 43 ++++++++++
 .../sox/files/sox-14.4.2-CVE-2017-11358.patch      | 26 ++++++
 .../sox/files/sox-14.4.2-CVE-2017-11359.patch      | 27 ++++++
 .../sox/files/sox-14.4.2-CVE-2017-15370.patch      | 25 ++++++
 .../sox/files/sox-14.4.2-CVE-2017-15371.patch      | 37 +++++++++
 .../sox/files/sox-14.4.2-CVE-2017-15372.patch      | 97 ++++++++++++++++++++++
 .../sox/files/sox-14.4.2-CVE-2017-15642.patch      | 28 +++++++
 .../sox/files/sox-14.4.2-CVE-2017-18189.patch      | 30 +++++++
 .../sox-14.4.2-wavpack-chk-errors-on-init.patch    | 35 ++++++++
 media-sound/sox/sox-14.4.2-r1.ebuild               | 13 +++
 11 files changed, 386 insertions(+)
Comment 2 Andreas Sturmlechner gentoo-dev 2018-09-14 19:54:07 UTC
sound is done here, anyway...
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2018-09-30 21:39:27 UTC
Arches and Maintainer(s). Thank you for your work.

GLSA Vote: Yes
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2018-10-06 17:01:36 UTC
This issue was resolved and addressed in
 GLSA 201810-02 at
by GLSA coordinator Aaron Bauman (b-man).