openRuyi-tutorials/buildroot
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/sox: add fix for CVE-2021-23159, CVE-2021-23172, CVE-2023-34318

Browse Source 
This fix is integrated in Debian. The CVEs are not reported by pkg-stats
because the NVD database has associated it to the sox_project:sox
vendor/product CPE. This has been reported to NVD:

  https://lore.kernel.org/buildroot/20250517220322.4da9bdb3@windsurf/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit is contained in:
Thomas Petazzoni
2025-05-18 10:57:10 +02:00
committed by Julien Olivain
parent b93b80245d
commit 14aa0f5ec1
2 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
package/sox/0007-hcom-validate-dictsize.patch Normal file
View File

@@ -0,0 +1,38 @@
From 54455f59305d9ce94cc73100bc2dd542865fed4b Mon Sep 17 00:00:00 2001
From: Helmut Grohne <helmut@subdivi.de>
Date: Sat, 17 May 2025 22:33:16 +0200
Subject: [PATCH] hcom: validate dictsize
Bug: https://sourceforge.net/p/sox/bugs/350/
Bug: https://sourceforge.net/p/sox/bugs/352/
Bug-Debian: https://bugs.debian.org/1021133
Bug-Debian: https://bugs.debian.org/1021134
This patch fixes both CVE-2021-23159 and CVE-2021-23172.
Upstream: https://sourceforge.net/p/sox/bugs/350/
Upstream: https://sourceforge.net/p/sox/bugs/352/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
src/hcom.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/hcom.c b/src/hcom.c
index 594c8706..9e8b03c6 100644
--- a/src/hcom.c
+++ b/src/hcom.c
@@ -141,6 +141,11 @@ static int startread(sox_format_t * ft)
return (SOX_EOF);
}
lsx_readw(ft, &dictsize);
+ if (dictsize == 0 || dictsize > 511)
+ {
+ lsx_fail_errno(ft, SOX_EHDR, "Implausible dictionary size in HCOM header");
+ return SOX_EOF;
+ }
/* Translate to sox parameters */
ft->encoding.encoding = SOX_ENCODING_HCOM;
--
2.49.0

5
package/sox/sox.mk
View File

@@ -64,6 +64,11 @@ SOX_IGNORE_CVES += CVE-2019-13590
# due to the change of CPE ID to sox_project:sox in the NVD database
SOX_IGNORE_CVES += CVE-2021-3643 CVE-2021-23210
# 0007-hcom-validate-dictsize.patch
# This entry is NOT stale, those CVEs are not reported by pkg-stats
# due to the change of CPE ID to sox_project:sox in the NVD database
SOX_IGNORE_CVES += CVE-2021-23159 CVE-2021-23172 CVE-2023-34318
SOX_CONF_OPTS = \
--with-distro="Buildroot" \
--disable-stack-protector