UbuntuUpdates.org

Package "libsox-dev"

Name: libsox-dev

Description:

Development files for the SoX library

Latest version: 14.4.2-3ubuntu0.18.04.3
Release: bionic (18.04)
Level: updates
Repository: universe
Head package: sox
Homepage: https://sox.sourceforge.io/

Links


Download "libsox-dev"


Other versions of "libsox-dev" in Bionic

Repository Area Version
base universe 14.4.2-3
security universe 14.4.2-3ubuntu0.18.04.3

Changelog

Version: 14.4.2-3ubuntu0.18.04.3 2023-03-20 20:06:50 UTC

  sox (14.4.2-3ubuntu0.18.04.3) bionic-security; urgency=medium

  * SECURITY REGRESSION: Denial of Service
    - debian/patches/CVE-2021-33844.patch: fixed regression in wav-gsm
      decodeing introduced via fixing CVE-2021-33844.
    - CVE-2021-33844

 -- Amir Naseredini <email address hidden> Fri, 17 Mar 2023 16:56:11 +0000

Source diff to previous version
CVE-2021-33844 A floating point exception (divide-by-zero) issue was discovered in SoX in functon startread() of wav.c file. An attacker with a crafted wav file, co

Version: 14.4.2-3ubuntu0.18.04.2 2023-03-02 14:06:58 UTC

  sox (14.4.2-3ubuntu0.18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2019-13590.patch: fixed a possible buffer overflow
      in startread function.
    - debian/patches/CVE-2021-23159.patch: fixed a possible buffer overflow
      in lsx_read_w_buf function (CVE-2021-23159) and in startread function
      (CVE-2021-23172)
    - debian/patches/CVE-2021-33844.patch: fixed a possible division by zero
      in startread function
    - debian/patches/CVE-2021-3643.patch: fixed a possible buffer overflow
      (CVE-2021-3643) and a possible division by zero (CVE-2021-23210) in
      voc component
    - debian/patches/CVE-2021-40426.patch: fixed a possible buffer overflow
      in start_read function
    - debian/patches/CVE-2022-31650.patch: fixed a possible floating-point
      exception in lsx_aiffstartwrite function
    - debian/patches/CVE-2022-31651.patch: fixed a possible assertion failure
      in rate_init function
    - debian/patches/fix-hcom-big-endian.patch: fixed a possible assertion
      failure in hcom component
    - debian/patches/fix-resource-leak-comments.patch: fixed a possible
      unexpected behaviour on input parsing failure in formats component
    - debian/patches/fix-resource-leak-hcom.patch: fixed a possible
      unexpected behaviour on failure in hcom component
    - CVE-2019-13590
    - CVE-2021-23159
    - CVE-2021-23172
    - CVE-2021-33844
    - CVE-2021-3643
    - CVE-2021-23210
    - CVE-2021-40426
    - CVE-2022-31650
    - CVE-2022-31651
  * SECURITY UPDATE: Regression
    - debian/patches/CVE-2017-11358-revised.patch: fixed a regression caused
      by another patch.
    - CVE-2017-11358

 -- Amir Naseredini <email address hidden> Wed, 01 Mar 2023 10:21:11 +0000

Source diff to previous version
CVE-2019-13590 An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h (startread function), there is an integer overflow on the result of integer addition
CVE-2021-23159 A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function lsx_read_w_buf() in formats_i.c file. The vulnerability is exploita
CVE-2021-23172 A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function startread() in hcom.c file. The vulnerability is exploitable with a
CVE-2021-33844 A floating point exception (divide-by-zero) issue was discovered in SoX in functon startread() of wav.c file. An attacker with a crafted wav file, co
CVE-2021-3643 A flaw was found in sox 14.4.1. The lsx_adpcm_init function within libsox leads to a global-buffer-overflow. This flaw allows an attacker to input a
CVE-2021-23210 A floating point exception (divide-by-zero) issue was discovered in SoX in functon read_samples() of voc.c file. An attacker with a crafted file, cou
CVE-2021-40426 A heap-based buffer overflow vulnerability exists in the sphere.c start_read() functionality of Sound Exchange libsox 14.4.2 and master commit 42b355
CVE-2022-31650 In SoX 14.4.2, there is a floating-point exception in lsx_aiffstartwrite in aiff.c in libsox.a.
CVE-2022-31651 In SoX 14.4.2, there is an assertion failure in rate_init in rate.c in libsox.a.
CVE-2017-11358 The read_samples function in hcom.c in Sound eXchange (SoX) 14.4.2 allows remote attackers to cause a denial of service (invalid memory read and appl

Version: 14.4.2-3ubuntu0.18.04.1 2019-08-02 01:08:32 UTC

  sox (14.4.2-3ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Integer overflow on the result of multiplication fed into
    malloc.
    - debian/patches/CVE-2019-8354.patch: fix possible buffer size overflow in
      lsx_make_lpf()
    - CVE-2019-8354
  * SECURITY UPDATE: Integer overflow on the result of multiplication fed into
    lsx_valloc macro that wraps malloc.
    - debian/patches/CVE-2019-8355.patch: fix possible overflow in
      lsx_(re)valloc() size calculation
    - CVE-2019-8355
  * SECURITY UPDATE: Stack-based buffer overflow can lead to write access
    outside of the statically declared array.
    - debian/patches/CVE-2019-8356.patch: fft4g bail if size too large.
    - CVE-2019-8356
  * SECURITY UPDATE: NULL pointer deference in lsx_make_lpf.
    - debian/patches/CVE-2019-8357.patch: fix possible null pointer deref in
      lsx_make_lpf()
    - CVE-2019-8357

 -- Eduardo Barretto <email address hidden> Thu, 01 Aug 2019 12:27:09 -0300

CVE-2019-8354 An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When t
CVE-2019-8355 An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that
CVE-2019-8356 An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the
CVE-2019-8357 An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.



About   -   Send Feedback to @ubuntu_updates