openRuyi-tutorials/buildroot
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/sox: add fix for CVE-2023-32627

Browse Source 
Patch comes from Debian. The CVEs are not reported by pkg-stats
because the NVD database has associated it to the sox_project:sox
vendor/product CPE. This has been reported to NVD:

  https://lore.kernel.org/buildroot/20250517220322.4da9bdb3@windsurf/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0d7e72afb2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This commit is contained in:
Thomas Petazzoni
2025-05-18 10:57:14 +02:00
committed by Thomas Perale
parent 08f272db55
commit 8b59257b82
2 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
package/sox/0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch Normal file
View File

@@ -0,0 +1,37 @@
From 2ab4f13af84f224cfbdd997e027c7348156de463 Mon Sep 17 00:00:00 2001
From: Helmut Grohne <helmut@subdivi.de>
Date: Sat, 17 May 2025 23:07:34 +0200
Subject: [PATCH] CVE-2023-32627 Filter null sampling rate in VOC coder
Avoid a divide by zero and out of bound read by rejecting null sampling rate in VOC file
bug: https://sourceforge.net/p/sox/bugs/369/
bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=2212282
bug-debian: https://bugs.debian.org/1041112
bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-32627
Upstream: https://sourceforge.net/p/sox/bugs/369/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
src/voc.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/voc.c b/src/voc.c
index 0ca07f94..d8b982c5 100644
--- a/src/voc.c
+++ b/src/voc.c
@@ -353,6 +353,11 @@ static size_t read_samples(sox_format_t * ft, sox_sample_t * buf,
v->block_remaining = 0;
return done;
}
+ if(uc == 0) {
+ lsx_fail_errno(ft, EINVAL, "invalid rate value");
+ v->block_remaining = 0;
+ return done;
+ }
*buf = SOX_UNSIGNED_8BIT_TO_SAMPLE(uc,);
lsx_adpcm_init(&v->adpcm, 6 - v->size, SOX_SAMPLE_TO_SIGNED_16BIT(*buf, ft->clips));
++buf;
--
2.49.0

5
package/sox/sox.mk
View File

@@ -84,6 +84,11 @@ SOX_IGNORE_CVES += CVE-2022-31650 CVE-2023-26590
# due to the change of CPE ID to sox_project:sox in the NVD database
SOX_IGNORE_CVES += CVE-2022-31651
# 0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch
# This entry is NOT stale, those CVEs are not reported by pkg-stats
# due to the change of CPE ID to sox_project:sox in the NVD database
SOX_IGNORE_CVES += CVE-2023-32627
SOX_CONF_OPTS = \
--with-distro="Buildroot" \
--disable-stack-protector