Fedora 27: 2018-f7a1334c68 Critical: sox Division By Zero Issue

SoX (Sound eXchange) is a sound file format converter. SoX can convert

between many different digitized sound formats and perform simple

sound manipulation functions, including sound effects.

Fixes **CVE-2017-11332**, **CVE-2017-11358**, and **CVE-2017-11359**. ----**Prevents division by zero in `src/ao.c`** This bug is hard to reproduce,

depending on the HW configuration or installed OS parts. For me, it can be

reproduced only in `mock`. In this update, error message should be displayed

instead of SIGFPE.

* Wed Jun 6 2018 Jiri Kucera - 14.4.2.0-22

- added patch that fixes:

+ "divide by zero in startread function in wav.c" (CVE-2017-11332)

+ "invalid memory read in read_samples function in hcom.c" (CVE-2017-11358)

+ "divide by zero in wavwritehdr function in wav.c" (CVE-2017-11359)

resolves #1480674, #1480675, #1480676, and #1480678

* Sat Jun 2 2018 Jiri Kucera - 14.4.2.0-21

- fix hunks in patches

- prevents division by zero in src/ao.c

+ fixes/prevents "sox killed by SIGFPE (signal 8)" kind of bugs that appear

randomly, depending on reporter's HW/environment/OS components

+ related bugs: #1309426, #1226675, #1540762, #1492910

* Wed Mar 21 2018 Jiri Kucera - 14.4.2.0-20

- added patch that fixes WAV to HCOM conversion abortion on 64 bit big endian

machines

+ resolves #1558887

* Mon Mar 19 2018 Jiri Kucera - 14.4.2.0-19

- CVEs presence tests beakerized and moved to tests/ directory as CI tests

- %check section: creating of additional binaries for testing was replaced

by the libsox binary patch workaround hack; during the testing the hardcoded

path to the directory with sox plugins is replaced for non-root alternative

and hence running the tests under the mock is possible (before the binary

patching, the backup of libsox is made, and at the end of tests it is

restored); this decrease the build time of the package, but may increase the

fragility of the package build process (future features in gcc toolchain may

make the binary patching impossible/not working)

* Thu Feb 22 2018 Jiri Kucera - 14.4.2.0-18

- Added missing gcc dependency

* Tue Feb 6 2018 Jiri Kucera - 14.4.2.0-17

- SOX_PLUGINS environment variable is now used only while running %check

during the package building; SOX_PLUGINS are now no longer available to

users

* Thu Feb 1 2018 Jiri Kucera - 14.4.2.0-16

- added patch that disables hcom conversion tests on big endian architectures

due to SIGABRT issues

* Tue Jan 30 2018 Jiri Kucera - 14.4.2.0-15

- added patch that fixes stack-overflow vulnerability in lsx_ms_adpcm_block_expand_i (CVE-2017-15372)

+ resolves #1500553, #1510919

- added patch that fixes use-after-free in lsx_aiffstartread (CVE-2017-15642)

+ resolves #1510923

- added patch that fixes incorrect FSF address in src/ladspa.h

- added patch that introduces SOX_PLUGINS environment variable that overrides

standard sox location for plugins

- added patch that inserts $(DESTDIR) before ${bindir} in src/Makefile.am

installcheck target

- added tests that checks if previously fixed bugs remain fixed in newer releases

- spec file changes:

+ suppressed rpmlint warning about bad Source URL

+ added comments to security patches

+ in %description: added missing sentence period

+ in %prep: suppressed "%setup is not quite" rpmlint warning

+ in %install: removed redundant slashes before %{_libdir}

+ added %check section

* Wed Jan 10 2018 Jiri Kucera - 14.4.2.0-14

- add patch to fix the heap-based buffer overflow in the ImaExpandS function (CVE-2017-15370)

- resolves #1500554, #1510917

- sanitized macro-in-comment rpmlint warnings

* Wed Jan 3 2018 Jiri Kucera - 14.4.2.0-13

- add patch to fix reachable assertion abort in function sox_append_comment (CVE-2017-15371)

- resolves #1500570, #1510918

* Tue Dec 19 2017 Jiri Kucera - 14.4.2.0-12

- .gz suffix changed to .bz2 since the source archive is bzipped

[ 1 ] Bug #1480678 - CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 sox: various flaws [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1480678

[ 2 ] Bug #1226675 - [abrt] sox: startwrite(): sox killed by SIGFPE

https://bugzilla.redhat.com/show_bug.cgi?id=1226675

su -c 'dnf upgrade --advisory FEDORA-2018-f7a1334c68' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O5KW4OL54BD2Q43MB2AOQ652Y2HJPNE3/