Fedora 27: sox Security Update 2018-f7a1334c68
Summary
SoX (Sound eXchange) is a sound file format converter. SoX can convert
between many different digitized sound formats and perform simple
sound manipulation functions, including sound effects.
Fixes **CVE-2017-11332**, **CVE-2017-11358**, and **CVE-2017-11359**. ----**Prevents division by zero in `src/ao.c`** This bug is hard to reproduce,
depending on the HW configuration or installed OS parts. For me, it can be
reproduced only in `mock`. In this update, error message should be displayed
instead of SIGFPE.
* Wed Jun 6 2018 Jiri Kucera
- added patch that fixes:
+ "divide by zero in startread function in wav.c" (CVE-2017-11332)
+ "invalid memory read in read_samples function in hcom.c" (CVE-2017-11358)
+ "divide by zero in wavwritehdr function in wav.c" (CVE-2017-11359)
resolves #1480674, #1480675, #1480676, and #1480678
* Sat Jun 2 2018 Jiri Kucera
- fix hunks in patches
- prevents division by zero in src/ao.c
+ fixes/prevents "sox killed by SIGFPE (signal 8)" kind of bugs that appear
randomly, depending on reporter's HW/environment/OS components
+ related bugs: #1309426, #1226675, #1540762, #1492910
* Wed Mar 21 2018 Jiri Kucera
- added patch that fixes WAV to HCOM conversion abortion on 64 bit big endian
machines
+ resolves #1558887
* Mon Mar 19 2018 Jiri Kucera
- CVEs presence tests beakerized and moved to tests/ directory as CI tests
- %check section: creating of additional binaries for testing was replaced
by the libsox binary patch workaround hack; during the testing the hardcoded
path to the directory with sox plugins is replaced for non-root alternative
and hence running the tests under the mock is possible (before the binary
patching, the backup of libsox is made, and at the end of tests it is
restored); this decrease the build time of the package, but may increase the
fragility of the package build process (future features in gcc toolchain may
make the binary patching impossible/not working)
* Thu Feb 22 2018 Jiri Kucera
- Added missing gcc dependency
* Tue Feb 6 2018 Jiri Kucera
- SOX_PLUGINS environment variable is now used only while running %check
during the package building; SOX_PLUGINS are now no longer available to
users
* Thu Feb 1 2018 Jiri Kucera
- added patch that disables hcom conversion tests on big endian architectures
due to SIGABRT issues
* Tue Jan 30 2018 Jiri Kucera
- added patch that fixes stack-overflow vulnerability in lsx_ms_adpcm_block_expand_i (CVE-2017-15372)
+ resolves #1500553, #1510919
- added patch that fixes use-after-free in lsx_aiffstartread (CVE-2017-15642)
+ resolves #1510923
- added patch that fixes incorrect FSF address in src/ladspa.h
- added patch that introduces SOX_PLUGINS environment variable that overrides
standard sox location for plugins
- added patch that inserts $(DESTDIR) before ${bindir} in src/Makefile.am
installcheck target
- added tests that checks if previously fixed bugs remain fixed in newer releases
- spec file changes:
+ suppressed rpmlint warning about bad Source URL
+ added comments to security patches
+ in %description: added missing sentence period
+ in %prep: suppressed "%setup is not quite" rpmlint warning
+ in %install: removed redundant slashes before %{_libdir}
+ added %check section
* Wed Jan 10 2018 Jiri Kucera
- add patch to fix the heap-based buffer overflow in the ImaExpandS function (CVE-2017-15370)
- resolves #1500554, #1510917
- sanitized macro-in-comment rpmlint warnings
* Wed Jan 3 2018 Jiri Kucera
- add patch to fix reachable assertion abort in function sox_append_comment (CVE-2017-15371)
- resolves #1500570, #1510918
* Tue Dec 19 2017 Jiri Kucera
- .gz suffix changed to .bz2 since the source archive is bzipped
[ 1 ] Bug #1480678 - CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 sox: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1480678
[ 2 ] Bug #1226675 - [abrt] sox: startwrite(): sox killed by SIGFPE
https://bugzilla.redhat.com/show_bug.cgi?id=1226675
su -c 'dnf upgrade --advisory FEDORA-2018-f7a1334c68' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O5KW4OL54BD2Q43MB2AOQ652Y2HJPNE3/
FEDORA-2018-f7a1334c68 2018-08-14 20:15:54.627005 Product : Fedora 27 Version : 14.4.2.0 Release : 22.fc27 URL : https://sourceforge.net/projects/sox/ Summary : A general purpose sound file conversion tool Description : SoX (Sound eXchange) is a sound file format converter. SoX can convert between many different digitized sound formats and perform simple sound manipulation functions, including sound effects. Fixes **CVE-2017-11332**, **CVE-2017-11358**, and **CVE-2017-11359**. ----**Prevents division by zero in `src/ao.c`** This bug is hard to reproduce, depending on the HW configuration or installed OS parts. For me, it can be reproduced only in `mock`. In this update, error message should be displayed instead of SIGFPE. * Wed Jun 6 2018 Jiri Kucera - 14.4.2.0-22 - added patch that fixes: + "divide by zero in startread function in wav.c" (CVE-2017-11332) + "invalid memory read in read_samples function in hcom.c" (CVE-2017-11358) + "divide by zero in wavwritehdr function in wav.c" (CVE-2017-11359) resolves #1480674, #1480675, #1480676, and #1480678 * Sat Jun 2 2018 Jiri Kucera - 14.4.2.0-21 - fix hunks in patches - prevents division by zero in src/ao.c + fixes/prevents "sox killed by SIGFPE (signal 8)" kind of bugs that appear randomly, depending on reporter's HW/environment/OS components + related bugs: #1309426, #1226675, #1540762, #1492910 * Wed Mar 21 2018 Jiri Kucera - 14.4.2.0-20 - added patch that fixes WAV to HCOM conversion abortion on 64 bit big endian machines + resolves #1558887 * Mon Mar 19 2018 Jiri Kucera - 14.4.2.0-19 - CVEs presence tests beakerized and moved to tests/ directory as CI tests - %check section: creating of additional binaries for testing was replaced by the libsox binary patch workaround hack; during the testing the hardcoded path to the directory with sox plugins is replaced for non-root alternative and hence running the tests under the mock is possible (before the binary patching, the backup of libsox is made, and at the end of tests it is restored); this decrease the build time of the package, but may increase the fragility of the package build process (future features in gcc toolchain may make the binary patching impossible/not working) * Thu Feb 22 2018 Jiri Kucera - 14.4.2.0-18 - Added missing gcc dependency * Tue Feb 6 2018 Jiri Kucera - 14.4.2.0-17 - SOX_PLUGINS environment variable is now used only while running %check during the package building; SOX_PLUGINS are now no longer available to users * Thu Feb 1 2018 Jiri Kucera - 14.4.2.0-16 - added patch that disables hcom conversion tests on big endian architectures due to SIGABRT issues * Tue Jan 30 2018 Jiri Kucera - 14.4.2.0-15 - added patch that fixes stack-overflow vulnerability in lsx_ms_adpcm_block_expand_i (CVE-2017-15372) + resolves #1500553, #1510919 - added patch that fixes use-after-free in lsx_aiffstartread (CVE-2017-15642) + resolves #1510923 - added patch that fixes incorrect FSF address in src/ladspa.h - added patch that introduces SOX_PLUGINS environment variable that overrides standard sox location for plugins - added patch that inserts $(DESTDIR) before ${bindir} in src/Makefile.am installcheck target - added tests that checks if previously fixed bugs remain fixed in newer releases - spec file changes: + suppressed rpmlint warning about bad Source URL + added comments to security patches + in %description: added missing sentence period + in %prep: suppressed "%setup is not quite" rpmlint warning + in %install: removed redundant slashes before %{_libdir} + added %check section * Wed Jan 10 2018 Jiri Kucera - 14.4.2.0-14 - add patch to fix the heap-based buffer overflow in the ImaExpandS function (CVE-2017-15370) - resolves #1500554, #1510917 - sanitized macro-in-comment rpmlint warnings * Wed Jan 3 2018 Jiri Kucera - 14.4.2.0-13 - add patch to fix reachable assertion abort in function sox_append_comment (CVE-2017-15371) - resolves #1500570, #1510918 * Tue Dec 19 2017 Jiri Kucera - 14.4.2.0-12 - .gz suffix changed to .bz2 since the source archive is bzipped [ 1 ] Bug #1480678 - CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 sox: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1480678 [ 2 ] Bug #1226675 - [abrt] sox: startwrite(): sox killed by SIGFPE https://bugzilla.redhat.com/show_bug.cgi?id=1226675 su -c 'dnf upgrade --advisory FEDORA-2018-f7a1334c68' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O5KW4OL54BD2Q43MB2AOQ652Y2HJPNE3/
Change Log
References
Update Instructions
