[Buildroot] [PATCH 1/1] package/sox: security bump to latest git commit

Peter Korsgaard peter at korsgaard.com
Thu Feb 4 17:20:28 UTC 2021


>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:

 > Bump to the latest git commit as this will fix the following CVEs:
 > git log|grep CVE
 >   sox-fmt: validate comments_bytes before use (CVE-2019-13590) [bug #325]
 >   fix possible null pointer deref in lsx_make_lpf() (CVE-2019-8357)
 >   fft4g: bail if size too large (CVE-2019-8356)
 >   fix possible overflow in lsx_(re)valloc() size calculation (CVE-2019-8355)
 >   fix possible buffer size overflow in lsx_make_lpf() (CVE-2019-8354)
 >   xa: validate channel count (CVE-2017-18189)
 >   aiff: fix crash on empty comment chunk (CVE-2017-15642)
 >   adpcm: fix stack overflow with >4 channels (CVE-2017-15372)
 >   flac: fix crash on corrupt metadata (CVE-2017-15371)
 >   wav: ima_adpcm: fix buffer overflow on corrupt input (CVE-2017-15370)
 >   wav: fix crash writing header when channel count >64k (CVE-2017-11359)
 >   hcom: fix crash on input with corrupt dictionary (CVE-2017-11358)
 >   wav: fix crash if channel count is zero (CVE-2017-11332)

 > - Tweak configuration options due to
 >   https://sourceforge.net/p/sox/code/ci/6ff0e9322f9891f5a6ac6c9b3bceffbfca16bec3
 > - libgsm is now an optional dependency since
 >   https://sourceforge.net/p/sox/code/ci/e548827ffcf4dffa7f21709b8e96b04b481c09b8
 > - Add patch to put back --disable-stack-protector

It would be good if you could bring up this issue with upstream.

Committed, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list