Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711320 (CVE-2017-18189, CVE-2019-1010004, CVE-2019-13590, CVE-2019-8354, CVE-2019-8355, CVE-2019-8356, CVE-2019-8357) - <media-sound/sox-14.4.2_p20200803: Multiple vulnerabilities (CVE-2017-18189/CVE-2019-1010004, CVE-2019-{8354,8355,8356,8357,13590})
Summary: <media-sound/sox-14.4.2_p20200803: Multiple vulnerabilities (CVE-2017-18189/C...
Status: RESOLVED FIXED
Alias: CVE-2017-18189, CVE-2019-1010004, CVE-2019-13590, CVE-2019-8354, CVE-2019-8355, CVE-2019-8356, CVE-2019-8357
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
: 679478 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-03-02 14:34 UTC by Sam James
Modified: 2021-02-20 19:30 UTC (History)
2 users (show)

See Also:
Package list:
media-sound/sox-14.4.2_p20200803
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-02 14:34:08 UTC
1) CVE-2017-18189, CVE-2019-1010004

Description:
"SoX - Sound eXchange 14.4.2 and earlier is affected by: Out-of-bounds Read. The impact is: Denial of Service. The component is: read_samples function at xa.c:219. The attack vector is: Victim must open specially crafted .xa file. NOTE: this may overlap CVE-2017-18189."

Bug: https://sourceforge.net/p/sox/bugs/299/

2) CVE-2019-13590

Description:
"Fix sox-14.4.2 NULL pointer dereference on lsx_readbuf in formats_i.c by
doing a prior check that it is a valid pointer before passing into lsx_calloc."

Bug: https://sourceforge.net/p/sox/bugs/325/
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-02 14:42:06 UTC
1) Patch (CVE-2017-18189, CVE-2019-1010004): https://sourceforge.net/p/sox/code/ci/09d7388c8ad5701ed9c59d1d600ff6154b066397/tree/src/xa.c?diff=f56c0dbca8f5bd02ea88970c248c0d087386e807

2) Patch (CVE-2019-13590): https://sourceforge.net/p/sox/code/ci/7b6a889217d62ed7e28188621403cc7542fd1f7e/tree/src/sox-fmt.c?diff=2f6b3fec2dddfbb869a9f7de3110c9aaa31517c9

---
There has not been an upstream release yet. It would be worth applying these patches.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-02 14:43:28 UTC
More vulnerabilities:

3) CVE-2019-8357

4) CVE-2019-8356

5) CVE-2019-8355

6)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-02 14:46:38 UTC
More vulnerabilities:

3) CVE-2019-8354

Description:
"fix possible buffer size overflow in lsx_make_lpf() (CVE-2019-8354). The multiplication in the size argument malloc() might overflow, resulting in a small buffer being allocated. Use calloc() instead."

Commit: https://sourceforge.net/p/sox/code/ci/f70911261a84333b077c29908e1242f69d7439eb/tree/src/effects_i_dsp.c?diff=ccedd08802f62ed896f69d778e6a106d00f9ab58

4) CVE-2019-8355

Description:
"fix possible overflow in lsx_(re)valloc() size calculation (CVE-2019-8355)"

Patches:
https://sourceforge.net/p/sox/code/ci/f8587e2d50dad72d40453ac1191c539ee9e50381/tree/src/Makefile.am?diff=f70911261a84333b077c29908e1242f69d7439eb
https://sourceforge.net/p/sox/code/ci/f8587e2d50dad72d40453ac1191c539ee9e50381/tree/src/xmalloc.c?diff=f70911261a84333b077c29908e1242f69d7439eb
https://sourceforge.net/p/sox/code/ci/f8587e2d50dad72d40453ac1191c539ee9e50381/tree/src/xmalloc.h?diff=f70911261a84333b077c29908e1242f69d7439eb

(no single link to commit because SF UI is poor)

5) CVE-2019-8356

Description:
"Prevent overflowing of fixed-size buffers in bitrv2() and bitrv2conj() if the transform size is too large."

Patches:
https://sourceforge.net/p/sox/code/ci/b7883ae1398499daaa926ae6621f088f0f531ed8/tree/src/fft4g.c?diff=f8587e2d50dad72d40453ac1191c539ee9e50381
https://sourceforge.net/p/sox/code/ci/b7883ae1398499daaa926ae6621f088f0f531ed8/tree/src/fft4g.h?diff=f8587e2d50dad72d40453ac1191c539ee9e50381

6) CVE-2019-8357

Description:
"fix possible null pointer deref in lsx_make_lpf() (CVE-2019-8357). If the buffer allocation fails, return NULL."

Patch:
https://sourceforge.net/p/sox/code/ci/2ce02fea7b350de9ddfbcf542ba4dd59a8ab255b/tree/src/effects_i_dsp.c?diff=b7883ae1398499daaa926ae6621f088f0f531ed8
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 01:17:48 UTC
*** Bug 679478 has been marked as a duplicate of this bug. ***
Comment 5 Larry the Git Cow gentoo-dev 2020-08-03 06:27:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0525803e44e76b54ba366144606577d783af33e

commit f0525803e44e76b54ba366144606577d783af33e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-03 06:27:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-03 06:27:12 +0000

    media-sound/sox: security bump to 20200803 snapshot
    
    Bug: https://bugs.gentoo.org/711320
    Closes: https://bugs.gentoo.org/712630
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 media-sound/sox/Manifest                    |   1 +
 media-sound/sox/sox-14.4.2_p20200803.ebuild | 106 ++++++++++++++++++++++++++++
 2 files changed, 107 insertions(+)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 02:02:07 UTC
amd64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 03:08:24 UTC
arm64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 03:56:24 UTC
arm done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 04:09:05 UTC
x86 done
Comment 10 Agostino Sarubbo gentoo-dev 2020-08-16 14:49:08 UTC
sparc stable
Comment 11 judyhsiao 2020-08-18 08:10:31 UTC
Gently ask do we still need this pull request ?
https://github.com/gentoo/gentoo/pull/14561

Thanks!
Comment 12 judyhsiao 2020-08-19 06:50:29 UTC
I resubmit https://github.com/gentoo/gentoo/pull/17168

thanks!
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-29 12:55:39 UTC
ppc done
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2020-09-04 11:53:08 UTC
commit 1000f7ed8ee912db6d392c183f3b4f8f85928e50
Author: Sam James <sam@gentoo.org>
Date:   Thu Sep 3 23:43:26 2020 +0000

    media-sound/sox: ppc64 stable (bug #711320)
Comment 15 Larry the Git Cow gentoo-dev 2020-09-04 12:07:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a8736c5acc6898bf74f7788560bf8667f441f67

commit 7a8736c5acc6898bf74f7788560bf8667f441f67
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-09-04 12:07:06 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-09-04 12:07:18 +0000

    media-sound/sox: security cleanup
    
    Bug: https://bugs.gentoo.org/711320
    Package-Manager: Portage-3.0.5, Repoman-3.0.1
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 media-sound/sox/Manifest                           |  1 -
 .../sox/files/sox-14.4.2-CVE-2017-11332.patch      | 25 ------
 .../sox/files/sox-14.4.2-CVE-2017-11333.patch      | 43 ----------
 .../sox/files/sox-14.4.2-CVE-2017-11358.patch      | 26 ------
 .../sox/files/sox-14.4.2-CVE-2017-11359.patch      | 27 ------
 .../sox/files/sox-14.4.2-CVE-2017-15370.patch      | 25 ------
 .../sox/files/sox-14.4.2-CVE-2017-15371.patch      | 37 --------
 .../sox/files/sox-14.4.2-CVE-2017-15372.patch      | 97 ---------------------
 .../sox/files/sox-14.4.2-CVE-2017-15642.patch      | 28 -------
 .../sox/files/sox-14.4.2-CVE-2017-18189.patch      | 30 -------
 .../sox-14.4.2-wavpack-chk-errors-on-init.patch    | 35 --------
 media-sound/sox/sox-14.4.2-r1.ebuild               | 98 ----------------------
 12 files changed, 472 deletions(-)
Comment 16 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-04 16:33:23 UTC
Thanks all.
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2021-02-20 19:30:22 UTC
GLSA Vote: No

Repository is clean, all done!