From patchwork Sun Mar 16 22:53:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 59206 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F18EC35FF1 for ; Sun, 16 Mar 2025 22:54:55 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web10.39864.1742165689268562806 for ; Sun, 16 Mar 2025 15:54:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=ZkCAt+Zn; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-256628-20250316225445a15a9dbf434307b22f-fjstnz@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20250316225445a15a9dbf434307b22f for ; Sun, 16 Mar 2025 23:54:46 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=Y2xBgNPcLrLbnbgdIpKFkaqjOK4sLrXSod72tAW4EIk=; b=ZkCAt+ZnzMJrSv3vdZeWtxJd9j7hnIbDcI8oAn7gPj1MSjVtInSCLZVdsDV9TEic4Ko63h uGCPNTcotGUgDo9xXu3WQv7HgnDLLMdN5F6zgseHJ3TAl5Qw8zqxplQgEKuSOUv9DbhE5SYj 0wB8UgWApB+3k8y10fu9+kjlnwH9/WXycMnT4BBSecnQwRBxLXsSRTQUO3CwXXQKqyzHzR4k JdOcL0EgrJEUm9xZavVahHM+jf55S9pjhZF8XVo/AqNdmJVajvxjx7+hyA5vKiVhtHhAfkBY BLRN+WP2MIl9NU/Es9x7vteV8CjxbuzTTs43g7Kils6hqD+qgAZxvEJg==; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-multimedia][PATCH 01/12] sox: extend CVE_PRODUCT Date: Sun, 16 Mar 2025 23:53:47 +0100 Message-Id: <20250316225358.2816208-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 16 Mar 2025 22:54:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/116006 From: Peter Marko Add all relevant items from queries: $ sqlite3 nvdcve_2-2.db sqlite> select vendor, product, count(*) from products where product like '%sox%' group by vendor, product; commugen|sox_365|1 libsox_project|libsox|1 sox|sox|3 sox_project|sox|10 sqlite> select vendor, product, count(*) from products where product like '%sound_exchange%' group by vendor, product; sound_exchange_project|sound_exchange|16 Signed-off-by: Peter Marko --- meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index 800fcad2c9..c1edd0fad7 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -35,6 +35,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/sox/sox-${PV}.tar.gz \ SRC_URI[md5sum] = "d04fba2d9245e661f245de0577f48a33" SRC_URI[sha256sum] = "b45f598643ffbd8e363ff24d61166ccec4836fea6d3888881b8df53e3bb55f6c" +CVE_PRODUCT:append = " libsox_project:libsox sound_exchange_project:sound_exchange" + inherit autotools pkgconfig # Enable largefile support From patchwork Sun Mar 16 22:53:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 59207 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16101C35FF1 for ; Sun, 16 Mar 2025 22:55:05 +0000 (UTC) Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net [185.136.65.228]) by mx.groups.io with SMTP id smtpd.web10.39868.1742165703940307652 for ; Sun, 16 Mar 2025 15:55:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=DiH/u6t9; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228, mailfrom: fm-256628-202503162255019724f96e9db80abfc7-vtzu5q@rts-flowmailer.siemens.com) Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 202503162255019724f96e9db80abfc7 for ; Sun, 16 Mar 2025 23:55:01 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=iX9djCopBK8RKMDANcHbgECd3TzF5HWS4TNyzCG9964=; b=DiH/u6t9OBMA/NDgvGlgrwNzIDo6+TFBQGQIHC5ThHXbzCCGt9L7zqoSODjXLnHTVUq44O /7LvMdGSXbDIMJ+gaw537XgWCt+evOPOQMk4TCrmZFcKo3EWqhCWK3Tp25soY/faB318ijzY XXEOlC8TnMfau9+6mVjUod/uM0B/hZJ5+fcIhZGVwljA8geVX4ocLmOe69yKOhAlkwMauygX hJYNd5rPDvvtscr8ghAk1/KOMjyl9v8jHKtekESJ7RdyyaP7tWzNfh013+bE6ck+AP9LbdqQ WbB7W5z+LIrW7UIzI6NRSRkbfObSNMpoyLC8dvv5gU6FsE2D6yok8FIQ==; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-multimedia][PATCH 02/12] sox: build from git Date: Sun, 16 Mar 2025 23:53:48 +0100 Message-Id: <20250316225358.2816208-2-peter.marko@siemens.com> In-Reply-To: <20250316225358.2816208-1-peter.marko@siemens.com> References: <20250316225358.2816208-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 16 Mar 2025 22:55:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/116007 From: Peter Marko Last release was done in 2015 but development still continues. Switch to git sources to allow update. Signed-off-by: Peter Marko --- meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index c1edd0fad7..48dba45420 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -27,13 +27,14 @@ LICENSE = "GPL-2.0-only & LGPL-2.1-only" LIC_FILES_CHKSUM = "file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \ file://LICENSE.LGPL;md5=fbc093901857fcd118f065f900982c24" -SRC_URI = "${SOURCEFORGE_MIRROR}/sox/sox-${PV}.tar.gz \ +SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://0001-remove-the-error-line-and-live-without-file-type-det.patch \ file://0001-Update-exported-symbol-list.patch \ file://0001-tests-Include-math.h-for-fabs-definition.patch \ " -SRC_URI[md5sum] = "d04fba2d9245e661f245de0577f48a33" -SRC_URI[sha256sum] = "b45f598643ffbd8e363ff24d61166ccec4836fea6d3888881b8df53e3bb55f6c" + +SRCREV = "45b161d73ec087a8e003747b1aed07cd33589bca" +S = "${WORKDIR}/git" CVE_PRODUCT:append = " libsox_project:libsox sound_exchange_project:sound_exchange" From patchwork Sun Mar 16 22:53:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 59209 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1AD60C35FF1 for ; Sun, 16 Mar 2025 22:55:15 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.39876.1742165706560558333 for ; Sun, 16 Mar 2025 15:55:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=iCpV2LdL; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-20250316225504f49f3594a06d025020-q4nq07@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20250316225504f49f3594a06d025020 for ; Sun, 16 Mar 2025 23:55:04 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=JJsiltVDdhG2/Zc0AzzXE2VloZ6NuUtl4a6tV0w+/ik=; b=iCpV2LdLK8pfHWCVdqT2eXCxYKgp4aEZjxieOMXwqZllfx6YMRRAEmvW8W9Auiz3tafn0y /JwBtpkm/W1boQNgAgkriXiqYoNPS9y9HazlEqn/bbXlR1aReFt/QFKVapkzGHXwppl+XaQL 0eYORoGUxgtSFUwmBJH2Xn3Un7QtPpSEPuC/5hw7j76lVZncZ2A6oeURP7oEfm3i3I6QYE4G mul28o7uFO3qHsJ98mneFB858iFlOGp/UCGdmrrzLNPQc4spniu1jj0ZfoCGUYQcWi8WBpRV hAJv2GgXOrGaVKQ0b4Hw1j/uXXGaFpnvSqZ33U4aMZ6VqJhfD3TW4Neg==; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-multimedia][PATCH 03/12] sox: update to latest git hash Date: Sun, 16 Mar 2025 23:53:49 +0100 Message-Id: <20250316225358.2816208-3-peter.marko@siemens.com> In-Reply-To: <20250316225358.2816208-1-peter.marko@siemens.com> References: <20250316225358.2816208-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 16 Mar 2025 22:55:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/116008 From: Peter Marko Resolve many CVEs and other bugs. $ git describe --tags sox-14.4.2-184-gf3094754 $ git log -1 HEAD | grep Date: Date: Thu May 30 14:46:01 2024 +0100 Recipe changes: * removed 0001-Update-exported-symbol-list.patch this commit is included now * refreshed 0001-remove-the-error-line-and-live-without-file-type-det.patch * 0001-tests-Include-math.h-for-fabs-definition.patch affected file was deleted from sources * added autoconf-archive-native dependency for newly used AX_APPEND_COMPILE_FLAGS macro * changed some config options from with/without to enable/disable https://sourceforge.net/p/sox/code/ci/6ff0e9322f9891f5a6ac6c9b3bceffbfca16bec3/ * added +git to PV to indicate version not on hash Signed-off-by: Peter Marko --- .../0001-Update-exported-symbol-list.patch | 34 ------------------- ...-line-and-live-without-file-type-det.patch | 2 +- ...s-Include-math.h-for-fabs-definition.patch | 33 ------------------ .../recipes-multimedia/sox/sox_14.4.2.bb | 26 +++++++------- 4 files changed, 14 insertions(+), 81 deletions(-) delete mode 100644 meta-multimedia/recipes-multimedia/sox/sox/0001-Update-exported-symbol-list.patch delete mode 100644 meta-multimedia/recipes-multimedia/sox/sox/0001-tests-Include-math.h-for-fabs-definition.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/0001-Update-exported-symbol-list.patch b/meta-multimedia/recipes-multimedia/sox/sox/0001-Update-exported-symbol-list.patch deleted file mode 100644 index 44c6b19be0..0000000000 --- a/meta-multimedia/recipes-multimedia/sox/sox/0001-Update-exported-symbol-list.patch +++ /dev/null @@ -1,34 +0,0 @@ -From b1809d82031aa7c5bcaad58bcb4b59e082e0446e Mon Sep 17 00:00:00 2001 -From: Mans Rullgard -Date: Sun, 5 Nov 2017 15:40:16 +0000 -Subject: [PATCH] Update exported symbol list - -commit 5c58413544 ("Don't export (most) internal libsox symbols") -breaks dynamic flac builds as flac.c references lsx.error, so add it -to the list of exceptions. - -| .libs/flac.o: In function `decoder_read_callback': -| /usr/src/debug/sox/14.4.2-r0/sox-14.4.2/src/flac.c:63: undefined reference to `lsx_error' - -Upstream-Status: Backport [https://bogomips.org/sox.git ("pu" branch)] - ---- - src/Makefile.am | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index 7cceaafd..a3a04ed1 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -95,7 +95,7 @@ libsox_la_LIBADD += @GOMP_LIBS@ - - libsox_la_CFLAGS = @WARN_CFLAGS@ - libsox_la_LDFLAGS = @APP_LDFLAGS@ -version-info @SHLIB_VERSION@ \ -- -export-symbols-regex '^(sox_.*|lsx_(check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|fail_errno|filelength|find_(enum_(text|value)|file_extension)|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|realloc|rewind|seeki|sigfigs3p?|strcasecmp|tell|unreadb|write(b|_b_buf|buf|s)))$$' -+ -export-symbols-regex '^(sox_.*|lsx_(([cm]|re)alloc|check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|error|fail_errno|filelength|find_(enum_(text|value)|file_extension)|flush|getopt(_init)?|id3_read_tag|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|rewind|seeki|sigfigs3p?|strcasecmp|strdup|tell|unreadb|write(b|_b_buf|buf|s)))$$' - - if HAVE_WIN32_LTDL - libsox_la_SOURCES += win32-ltdl.c win32-ltdl.h --- -2.16.2 - diff --git a/meta-multimedia/recipes-multimedia/sox/sox/0001-remove-the-error-line-and-live-without-file-type-det.patch b/meta-multimedia/recipes-multimedia/sox/sox/0001-remove-the-error-line-and-live-without-file-type-det.patch index 3085bd495c..15c429e515 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox/0001-remove-the-error-line-and-live-without-file-type-det.patch +++ b/meta-multimedia/recipes-multimedia/sox/sox/0001-remove-the-error-line-and-live-without-file-type-det.patch @@ -15,7 +15,7 @@ diff --git a/src/formats.c b/src/formats.c index 724a4cda..f683a922 100644 --- a/src/formats.c +++ b/src/formats.c -@@ -422,7 +422,6 @@ static void UNUSED rewind_pipe(FILE * fp) +@@ -477,7 +477,6 @@ static void UNUSED rewind_pipe(FILE * fp) /* To fix this #error, either simply remove the #error line and live without * file-type detection with pipes, or add support for your compiler in the * lines above. Test with cat monkey.wav | ./sox --info - */ diff --git a/meta-multimedia/recipes-multimedia/sox/sox/0001-tests-Include-math.h-for-fabs-definition.patch b/meta-multimedia/recipes-multimedia/sox/sox/0001-tests-Include-math.h-for-fabs-definition.patch deleted file mode 100644 index 5f9135a0ee..0000000000 --- a/meta-multimedia/recipes-multimedia/sox/sox/0001-tests-Include-math.h-for-fabs-definition.patch +++ /dev/null @@ -1,33 +0,0 @@ -From afe336ab63ff9b64ef759255de6b03b897dc4453 Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Sun, 19 May 2024 09:09:46 -0700 -Subject: [PATCH] tests: Include math.h for fabs() definition - -Fixes build with gcc-14 - -../../sox-14.4.2/src/sox_sample_test.h:190:3: error: implicit declaration of function 'fabs' [-Wimplicit-function-declaration] - 190 | assert(fabs(d - 1) < 1e-9 && clips == 0); - | ^~~~~~ - ../../sox-14.4.2/src/sox_sample_test.h:23:1: note: include '' or provide a declaration of 'fabs' - -Upstream-Status: Pending -Signed-off-by: Khem Raj ---- - src/sox_sample_test.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/sox_sample_test.h b/src/sox_sample_test.h -index 62b55e4..17f0069 100644 ---- a/src/sox_sample_test.h -+++ b/src/sox_sample_test.h -@@ -19,6 +19,7 @@ - #undef NDEBUG /* Must undef above assert.h or other that might include it. */ - #endif - #include -+#include - #include "sox.h" - - #define TEST_UINT(bits) \ --- -2.45.1 - diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index 48dba45420..e3c228858c 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -4,24 +4,24 @@ and can apply different effects and filters to the audio data." HOMEPAGE = "http://sox.sourceforge.net" SECTION = "audio" -DEPENDS = "libpng libsndfile1 libtool" +DEPENDS = "autoconf-archive-native libpng libsndfile1 libtool" PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'alsa pulseaudio', d)} \ magic \ " -PACKAGECONFIG[pulseaudio] = "--with-pulseaudio=dyn,--with-pulseaudio=no,pulseaudio," -PACKAGECONFIG[alsa] = "--with-alsa=dyn,--with-alsa=no,alsa-lib," -PACKAGECONFIG[wavpack] = "--with-wavpack=dyn,--with-wavpack=no,wavpack," -PACKAGECONFIG[flac] = "--with-flac=dyn,--with-flac=no,flac," -PACKAGECONFIG[amrwb] = "--with-amrwb=dyn,--with-amrwb=no,opencore-amr," -PACKAGECONFIG[amrnb] = "--with-amrnb=dyn,--with-amrnb=no,opencore-amr," -PACKAGECONFIG[oggvorbis] = "--with-oggvorbis=dyn,--with-oggvorbis=no,libvorbis" -PACKAGECONFIG[opus] = "--with-opus=dyn,--with-opus=no,opusfile" +PACKAGECONFIG[pulseaudio] = "--enable-pulseaudio=dyn,--disable-pulseaudio,pulseaudio," +PACKAGECONFIG[alsa] = "--enable-alsa=dyn,--disable-alsa,alsa-lib," +PACKAGECONFIG[wavpack] = "--enable-wavpack=dyn,--disable-wavpack,wavpack," +PACKAGECONFIG[flac] = "--enable-flac=dyn,--disable-flac,flac," +PACKAGECONFIG[amrwb] = "--enable-amrwb=dyn,--disable-amrwb,opencore-amr," +PACKAGECONFIG[amrnb] = "--enable-amrnb=dyn,--disable-amrnb,opencore-amr," +PACKAGECONFIG[oggvorbis] = "--enable-oggvorbis=dyn,--disable-oggvorbis,libvorbis" +PACKAGECONFIG[opus] = "--enable-opus=dyn,--disable-opus,opusfile" PACKAGECONFIG[magic] = "--with-magic,--without-magic,file," PACKAGECONFIG[mad] = "--with-mad,--without-mad,libmad," PACKAGECONFIG[id3tag] = "--with-id3tag,--without-id3tag,libid3tag," PACKAGECONFIG[lame] = "--with-lame,--without-lame,lame," -PACKAGECONFIG[ao] = "--with-ao,--without-ao,libao," +PACKAGECONFIG[ao] = "--enable-ao,--disable-ao,libao," LICENSE = "GPL-2.0-only & LGPL-2.1-only" LIC_FILES_CHKSUM = "file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \ @@ -29,11 +29,11 @@ LIC_FILES_CHKSUM = "file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://0001-remove-the-error-line-and-live-without-file-type-det.patch \ - file://0001-Update-exported-symbol-list.patch \ - file://0001-tests-Include-math.h-for-fabs-definition.patch \ " -SRCREV = "45b161d73ec087a8e003747b1aed07cd33589bca" +# last release was in 2015, use latest hash from 2024-05-30 +PV .= "+git" +SRCREV = "f3094754a7c2a7e55c35621d20fa9945736e72df" S = "${WORKDIR}/git" CVE_PRODUCT:append = " libsox_project:libsox sound_exchange_project:sound_exchange" From patchwork Sun Mar 16 22:53:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 59210 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23B27C35FF7 for ; Sun, 16 Mar 2025 22:55:15 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.39871.1742165709649645793 for ; Sun, 16 Mar 2025 15:55:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=OgdbgJPV; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-202503162255075c44e4fcdd4f0badfc-gtdolj@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202503162255075c44e4fcdd4f0badfc for ; Sun, 16 Mar 2025 23:55:07 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=05LfuNA2mIf0QO9gTS2aJk48243HDrg72vWEi+yUV8c=; b=OgdbgJPVlw/HWdMoslGVxNTxzh6E5R1nrFgQk5ze+MuNGdutspqUJXkbGJJfbHtjQT1tTI 0ZHUHebXq4kI8AGqTTJxAFInjsmRpsf7ZT5Q3M2JyoQbmZVqoVaFZ9mC5LBn/PsndyoR4Lbw YLoLauULzVpmK7wKrD5FwC+xHlKiP2WIYGOjjyPCcI0R33N3Kg8piEdqjU/8qwhVXtBkvyUF xAUYymtwaipueZRrVRMpHGuCCuC6vx/F9hHJ/1ZWVzd/iBLbwkY5WChJs0b39FG3mDKrr9sB th+t3dmoJDku/vwBSnfNCZ7SRXm1r7t9fxTm5n22bJSPFSU0QA9zVLwg==; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-multimedia][PATCH 04/12] sox: mark CVEs included in hash update as fixed Date: Sun, 16 Mar 2025 23:53:50 +0100 Message-Id: <20250316225358.2816208-4-peter.marko@siemens.com> In-Reply-To: <20250316225358.2816208-1-peter.marko@siemens.com> References: <20250316225358.2816208-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 16 Mar 2025 22:55:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/116009 From: Peter Marko git log sox-14.4.2..HEAD | grep -o 'CVE-[0-9-]*' | sort -u CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 CVE-2017-15371 CVE-2017-15372 CVE-2017-15642 CVE-2017-18189 CVE-2019-13590 CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 Following remaining CVEs are handled in commits: CVE-2019-1010004 - NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-1010004 - report: https://sourceforge.net/p/sox/bugs/299/ - patch: https://sourceforge.net/p/sox/code/ci/09d7388c8ad5701ed9c59d1d600ff6154b066397/ - same commit as CVE-2017-18189 as mentioned in NVD and bugreport texts - https://security-tracker.debian.org/tracker/CVE-2019-1010004 links it - it's only commit in src/xa.c in last 15 years Signed-off-by: Peter Marko --- meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index e3c228858c..e8294a05af 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -38,6 +38,14 @@ S = "${WORKDIR}/git" CVE_PRODUCT:append = " libsox_project:libsox sound_exchange_project:sound_exchange" +CVE_STATUS_GROUPS += "CVE_STATUS_HASH_UPDATE" +CVE_STATUS_HASH_UPDATE = " \ + CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 CVE-2017-15371 \ + CVE-2017-15372 CVE-2017-15642 CVE-2017-18189 CVE-2019-13590 CVE-2019-8354 \ + CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 CVE-2019-1010004 \ +" +CVE_STATUS_HASH_UPDATE[status] = "fixed-version: patched in current git hash" + inherit autotools pkgconfig # Enable largefile support From patchwork Sun Mar 16 22:53:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 59208 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1BF33C35FF3 for ; Sun, 16 Mar 2025 22:55:15 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.39871.1742165709649645793 for ; Sun, 16 Mar 2025 15:55:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=X/Uw+Bln; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-2025031622551057b5f0370b53edf0bc-xy41yb@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2025031622551057b5f0370b53edf0bc for ; Sun, 16 Mar 2025 23:55:10 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=nSVgdpjsf0C1p87jo4tJmyarwPQqmPuIdWcNo4mw12g=; b=X/Uw+Blnehd8uPb2BAJMwMSgzySqF+Z2sAcRMXhngf/wrYeTKNSQ9diu9j6a/LaaR6zRON GGnJqzS2sHcp+7uzc+vKUgrQjYcPZT2JSvvf82JmzrXq0tCGoyH5QMhJUIWq0hV7k2HCWXn5 GTMNV5VLiMIkeckvX1w4vXTkOhWxTq0oznfo/aZ1A0J4tO9qLo8DWncSWZoJDw3Vd+R0NigX JvBagkR7F734Bs+zvyCohW4sUo4TFrexjjEo8teIhWndDDAvM/alN3cBnGci+cvHCWpZVssl wiMo1Z0Y6RXBiMNP3zTmwaEA7vex0M/Zv/UKN+hEcj4VE3hmfDV2MfMg==; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-multimedia][PATCH 05/12] sox: patch CVE-2021-3643 and CVE-2021-23210 Date: Sun, 16 Mar 2025 23:53:51 +0100 Message-Id: <20250316225358.2816208-5-peter.marko@siemens.com> In-Reply-To: <20250316225358.2816208-1-peter.marko@siemens.com> References: <20250316225358.2816208-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 16 Mar 2025 22:55:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/116010 From: Peter Marko Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-3643.patch Signed-off-by: Peter Marko --- .../sox/CVE-2021-3643_CVE-2021-23210.patch | 30 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch new file mode 100644 index 0000000000..f58d2fd774 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch @@ -0,0 +1,30 @@ +From 5b9a7c0fc7054b4f16a5058eef721470e9adcfcc Mon Sep 17 00:00:00 2001 +From: Helmut Grohne +Date: Sun, 16 Mar 2025 21:16:40 +0100 +Subject: [PATCH] voc: word width should never be 0 to avoid division by zero + +Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-3643.patch + +CVE: CVE-2021-3643 +CVE: CVE-2021-23210 +Upstream-Status: Inactive-Upstream [lastrelease: 2015] +Signed-off-by: Peter Marko +--- + src/voc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/voc.c b/src/voc.c +index a75639e9..0ca07f94 100644 +--- a/src/voc.c ++++ b/src/voc.c +@@ -625,6 +625,10 @@ static int getblock(sox_format_t * ft) + v->rate = new_rate_32; + ft->signal.rate = new_rate_32; + lsx_readb(ft, &uc); ++ if (uc <= 1) { ++ lsx_fail_errno(ft, SOX_EFMT, "2 bits per word required"); ++ return (SOX_EOF); ++ } + v->size = uc; + lsx_readb(ft, &uc); + if (v->channels != -1 && uc != v->channels) { diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index e8294a05af..a87f4de131 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -29,6 +29,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://0001-remove-the-error-line-and-live-without-file-type-det.patch \ + file://CVE-2021-3643_CVE-2021-23210.patch \ " # last release was in 2015, use latest hash from 2024-05-30 From patchwork Sun Mar 16 22:53:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 59213 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CEB0C35FF3 for ; Sun, 16 Mar 2025 22:55:25 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.39878.1742165715790282342 for ; Sun, 16 Mar 2025 15:55:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=bvmNjw1j; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-202503162255130a29a230fc8fcb47a7-rlmnnb@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202503162255130a29a230fc8fcb47a7 for ; Sun, 16 Mar 2025 23:55:14 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=FgQ/8u6KCEDBlvSekJafVZLK3ZjHID6b0PS7vSLCGpw=; b=bvmNjw1jKATJM1dRoRih7Sh9SaLCuITamGoexZqqkDQGfP7z8tMBs5U/A7ugLQmG0NnXrk 91Vq567zUq7jNuy9wDrzKA2A3jRoBEoL9ZkzDMAK9no/eCeLWxJDO/sjRXal8cd90y72uJmO c9Awbsp1yfe51Tzh0syr9JKJ9N5Kk4tR3ZB3QmQTyyS1PEKudsvSh06bKSJKTvPFEhRPp1E1 shsXyQ41AnNQfvYUEl2UNRPXaxxlMS6iuoIJPIkB6iXV0LUvEUPfkFa8KS/R/2v5ryB+fAJv IuXLdSxz7aI1qaIJFI37kyLS8smDfamj5IkDp017CXqikvMR0R+TAoGQ==; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-multimedia][PATCH 06/12] sox: patch CVE-2021-23159 and CVE-2021-2317 Date: Sun, 16 Mar 2025 23:53:52 +0100 Message-Id: <20250316225358.2816208-6-peter.marko@siemens.com> In-Reply-To: <20250316225358.2816208-1-peter.marko@siemens.com> References: <20250316225358.2816208-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 16 Mar 2025 22:55:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/116011 From: Peter Marko Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-23159.patch Signed-off-by: Peter Marko --- .../sox/CVE-2021-23159_CVE-2021-2317.patch | 31 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch new file mode 100644 index 0000000000..472e4bac60 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch @@ -0,0 +1,31 @@ +From 8eb3afb37f80d7231a998e3074e6fc5f7bdfe4d5 Mon Sep 17 00:00:00 2001 +From: Helmut Grohne +Date: Sun, 16 Mar 2025 20:28:15 +0100 +Subject: [PATCH] hcom: validate dictsize + +Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-23159.patch + +CVE: CVE-2021-23159 +CVE: CVE-2021-23172 +Upstream-Status: Inactive-Upstream [lastrelease: 2015] +Signed-off-by: Peter Marko +--- + src/hcom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/hcom.c b/src/hcom.c +index 594c8706..9e8b03c6 100644 +--- a/src/hcom.c ++++ b/src/hcom.c +@@ -141,6 +141,11 @@ static int startread(sox_format_t * ft) + return (SOX_EOF); + } + lsx_readw(ft, &dictsize); ++ if (dictsize == 0 || dictsize > 511) ++ { ++ lsx_fail_errno(ft, SOX_EHDR, "Implausible dictionary size in HCOM header"); ++ return SOX_EOF; ++ } + + /* Translate to sox parameters */ + ft->encoding.encoding = SOX_ENCODING_HCOM; diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index a87f4de131..bfa1d9c2d4 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -30,6 +30,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://0001-remove-the-error-line-and-live-without-file-type-det.patch \ file://CVE-2021-3643_CVE-2021-23210.patch \ + file://CVE-2021-23159_CVE-2021-2317.patch \ " # last release was in 2015, use latest hash from 2024-05-30 From patchwork Sun Mar 16 22:53:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 59212 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 251BBC35FF7 for ; Sun, 16 Mar 2025 22:55:25 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.39878.1742165715790282342 for ; Sun, 16 Mar 2025 15:55:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=MCiTtNsO; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-20250316225517d7ace2ac3092bc238a-konfmm@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20250316225517d7ace2ac3092bc238a for ; Sun, 16 Mar 2025 23:55:17 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=g0a+T6A9MMgIrCjUSNmsBZbvnjVhUtouujHZSHuutfs=; b=MCiTtNsOiLiSIseS7r2T1cYAhm0y0vChKc8AHTIIB1jzHcl0vwTBcedIMcCDR4GWljwtsq pV/ns4X2O32igxBKJwjzgzs6cme3Sj/Go1b6EZbX181JLZOeZsG7ZR+kJENVFcttH/iAM5MN ghhg4B3TLfFMaHMYbO4jvFGgbFnJxMF7s8W7VDhZMGxxmeL0GtKM8haeslXTQm6RhGnewVZe o85jA1+kdZWO9MZ8m0tKc5gA0KPOVKQpKQJucGC2IFmErdAyWegItC1DT3KOUIl8GVDNFZ3N a+Q+akehgLK5YbgRMVXacCUagBXxhmxeOgLzBpFTUW0qsThWDb2DX+cA==; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-multimedia][PATCH 07/12] sox: patch CVE-2021-33844 Date: Sun, 16 Mar 2025 23:53:53 +0100 Message-Id: <20250316225358.2816208-7-peter.marko@siemens.com> In-Reply-To: <20250316225358.2816208-1-peter.marko@siemens.com> References: <20250316225358.2816208-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 16 Mar 2025 22:55:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/116012 From: Peter Marko Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-33844.patch Signed-off-by: Peter Marko --- .../sox/sox/CVE-2021-33844.patch | 40 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-33844.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-33844.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-33844.patch new file mode 100644 index 0000000000..02c3edb35d --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-33844.patch @@ -0,0 +1,40 @@ +From f2597e433afeee8ab00cf6368ec8519df34aa031 Mon Sep 17 00:00:00 2001 +From: Helmut Grohne +Date: Sun, 16 Mar 2025 23:19:43 +0100 +Subject: [PATCH] wav: reject 0 bits per sample to avoid division by zero + +Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-33844.patch + +CVE: CVE-2021-33844 +Upstream-Status: Inactive-Upstream [lastrelease: 2015] +Signed-off-by: Peter Marko +--- + src/testall.sh | 1 + + src/wav.c | 5 +++++ + 2 files changed, 6 insertions(+) + +diff --git a/src/testall.sh b/src/testall.sh +index e7398377..e1454c21 100755 +--- a/src/testall.sh ++++ b/src/testall.sh +@@ -67,3 +67,4 @@ t voc + t vox -r 8130 + t wav + t wve ++t wav -e gsm-full-rate +diff --git a/src/wav.c b/src/wav.c +index 3f6beb45..16f0bff8 100644 +--- a/src/wav.c ++++ b/src/wav.c +@@ -963,6 +963,11 @@ static int startread(sox_format_t *ft) + #endif + } + ++ if (ft->encoding.bits_per_sample == 0) ++ { ++ lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero"); ++ return SOX_EOF; ++ } + if (!wav->numSamples) + wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample) + / ft->signal.channels; diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index bfa1d9c2d4..18ca7d504d 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -31,6 +31,7 @@ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://0001-remove-the-error-line-and-live-without-file-type-det.patch \ file://CVE-2021-3643_CVE-2021-23210.patch \ file://CVE-2021-23159_CVE-2021-2317.patch \ + file://CVE-2021-33844.patch \ " # last release was in 2015, use latest hash from 2024-05-30 From patchwork Sun Mar 16 22:53:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 59211 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CE53C35FF1 for ; Sun, 16 Mar 2025 22:55:25 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.39881.1742165723571077800 for ; Sun, 16 Mar 2025 15:55:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=j0ZqF+FZ; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-202503162255215bc2a188e899bda551-jgixkh@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202503162255215bc2a188e899bda551 for ; Sun, 16 Mar 2025 23:55:21 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=/ATY9ltZwtk7orszoWaKMZYuugBHOoO+RFUjB4OqT/E=; b=j0ZqF+FZzE9hNgx2Ab4pRw6nMKeENWKDYA8TZL+3JHYSzXvRYcyxhmtMVeuakOUQ1R9TdS 6n7vC1IMe9z1/0dgmhRBWJcqVa0bAxfmXDsxMu6FUswAMb4P3dSLN1yO6+4HKiZ/QGALSesE eno0Nd74/lYuhGTQ7N0ejxlr+cT6zKFzsVSJ0vAeXSd3RvKvms4s8Ue6jZIBKSlOIsXdcOSi pKxKlB7JTaQ4+BYKFyK1UptJm7NONLK2v0rDnOS8JN8sIUXt0vtshNoAd4pvRnRFnDHk/YtO hjkqMT35ftOMwCGfAdM4OfHhUD504spuwy47zXKVI1+XSb/8hCKFTTrQ==; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-multimedia][PATCH 08/12] sox: patch CVE-2021-40426 Date: Sun, 16 Mar 2025 23:53:54 +0100 Message-Id: <20250316225358.2816208-8-peter.marko@siemens.com> In-Reply-To: <20250316225358.2816208-1-peter.marko@siemens.com> References: <20250316225358.2816208-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 16 Mar 2025 22:55:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/116013 From: Peter Marko Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-40426.patch Signed-off-by: Peter Marko --- .../sox/sox/CVE-2021-40426.patch | 38 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-40426.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-40426.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-40426.patch new file mode 100644 index 0000000000..9e505a03a7 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-40426.patch @@ -0,0 +1,38 @@ +From 25f686e0da423326a74fe16c603b6b6b75857fa4 Mon Sep 17 00:00:00 2001 +From: Helmut Grohne +Date: Sun, 16 Mar 2025 20:07:19 +0100 +Subject: [PATCH] sphere: avoid integer underflow + +Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-40426.patch + +CVE: CVE-2021-40426 +Upstream-Status: Inactive-Upstream [lastrelease: 2015] +Signed-off-by: Peter Marko +--- + src/sphere.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/sphere.c b/src/sphere.c +index a3fd1c64..9544d160 100644 +--- a/src/sphere.c ++++ b/src/sphere.c +@@ -63,7 +63,8 @@ static int start_read(sox_format_t * ft) + return (SOX_EOF); + } + +- header_size -= (strlen(buf) + 1); ++ bytes_read = strlen(buf); ++ header_size -= bytes_read >= header_size ? header_size : bytes_read + 1; + + while (strncmp(buf, "end_head", (size_t)8) != 0) { + if (strncmp(buf, "sample_n_bytes", (size_t)14) == 0) +@@ -105,7 +106,8 @@ static int start_read(sox_format_t * ft) + return (SOX_EOF); + } + +- header_size -= (strlen(buf) + 1); ++ bytes_read = strlen(buf); ++ header_size -= bytes_read >= header_size ? header_size : bytes_read + 1; + } + + if (!bytes_per_sample) diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index 18ca7d504d..022a2d6b59 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -32,6 +32,7 @@ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://CVE-2021-3643_CVE-2021-23210.patch \ file://CVE-2021-23159_CVE-2021-2317.patch \ file://CVE-2021-33844.patch \ + file://CVE-2021-40426.patch \ " # last release was in 2015, use latest hash from 2024-05-30 From patchwork Sun Mar 16 22:53:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 59215 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A7D8C35FF3 for ; Sun, 16 Mar 2025 22:55:35 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web10.39882.1742165728283690681 for ; Sun, 16 Mar 2025 15:55:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=D4ukzOco; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-20250316225526cbeddbad4734004cae-u0umvi@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20250316225526cbeddbad4734004cae for ; Sun, 16 Mar 2025 23:55:26 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=WXHR8juA2D/5a15b2BkBOGKyCHNzbLy2UO1bhaM2Qdk=; b=D4ukzOcoaD8uhDPwB5EP1iXyCJvk7tqcwrJNxVpVyDuitnqEkgB+ABBtDwB2WIHZVgTT1d xqJ+s5PqQLBeWzkYQIFrx9jmlV/BAJoDQ0kIMn240blPsz1jaVBrFqpiyCzLErnv7xeiK17Q g1owTwNAW4zO+As6i2HzjH46d0RuEjQomr7Ba8WqWYonuzCE5AFCPWy7h3aRx4A+sVEYXM2y V/X+sUXAWrlKuYZ7Mkm9gN3VW+XAJw4n2eBUsDN1N5LJZmI5f1Zc72e8FoJToFGu3pYKkW2/ /PDwZtUg/oC2NxuR5ANKVVxcwJQ9S2eLf7dL28uVybUICCG9SP84Yc0A==; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-multimedia][PATCH 09/12] sox: patch CVE-2022-31650 Date: Sun, 16 Mar 2025 23:53:55 +0100 Message-Id: <20250316225358.2816208-9-peter.marko@siemens.com> In-Reply-To: <20250316225358.2816208-1-peter.marko@siemens.com> References: <20250316225358.2816208-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 16 Mar 2025 22:55:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/116014 From: Peter Marko Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31650.patch Signed-off-by: Peter Marko --- .../sox/sox/CVE-2022-31650.patch | 60 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 61 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31650.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31650.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31650.patch new file mode 100644 index 0000000000..41baad0e27 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31650.patch @@ -0,0 +1,60 @@ +From 3a8e783c58499bb52052c671b9161c43e011a508 Mon Sep 17 00:00:00 2001 +From: Helmut Grohne +Date: Sun, 16 Mar 2025 20:08:04 +0100 +Subject: [PATCH] formats+aiff: reject implausibly large number of channels + +Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31650.patch + +CVE: CVE-2022-31650 +Upstream-Status: Inactive-Upstream [lastrelease: 2015] +Signed-off-by: Peter Marko +--- + src/aiff.c | 5 +++++ + src/formats_i.c | 10 ++++++++-- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/aiff.c b/src/aiff.c +index 3a152c58..6de94f32 100644 +--- a/src/aiff.c ++++ b/src/aiff.c +@@ -619,6 +619,11 @@ int lsx_aiffstartwrite(sox_format_t * ft) + At 48 kHz, 16 bits stereo, this gives ~3 hours of audio. + Sorry, the AIFF format does not provide for an indefinite + number of samples. */ ++ if (ft->signal.channels >= (0x7f000000 / (ft->encoding.bits_per_sample >> 3))) ++ { ++ lsx_fail_errno(ft, SOX_EOF, "too many channels for AIFF header"); ++ return SOX_EOF; ++ } + return(aiffwriteheader(ft, (uint64_t) 0x7f000000 / ((ft->encoding.bits_per_sample>>3)*ft->signal.channels))); + } + +diff --git a/src/formats_i.c b/src/formats_i.c +index 7048040d..6a7c27e3 100644 +--- a/src/formats_i.c ++++ b/src/formats_i.c +@@ -19,6 +19,7 @@ + */ + + #include "sox_i.h" ++#include + #include + #include + #include +@@ -60,9 +61,14 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels, + if (ft->seekable) + ft->data_start = lsx_tell(ft); + +- if (channels && ft->signal.channels && ft->signal.channels != channels) ++ if (channels && ft->signal.channels && ft->signal.channels != channels) { + lsx_warn("`%s': overriding number of channels", ft->filename); +- else ft->signal.channels = channels; ++ } else if (channels > SHRT_MAX) { ++ lsx_fail_errno(ft, EINVAL, "implausibly large number of channels"); ++ return SOX_EOF; ++ } else { ++ ft->signal.channels = channels; ++ } + + if (rate && ft->signal.rate && ft->signal.rate != rate) + lsx_warn("`%s': overriding sample rate", ft->filename); diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index 022a2d6b59..e66c10a56d 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -33,6 +33,7 @@ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://CVE-2021-23159_CVE-2021-2317.patch \ file://CVE-2021-33844.patch \ file://CVE-2021-40426.patch \ + file://CVE-2022-31650.patch \ " # last release was in 2015, use latest hash from 2024-05-30 From patchwork Sun Mar 16 22:53:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 59214 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A7A5C35FF1 for ; Sun, 16 Mar 2025 22:55:35 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web11.39885.1742165733211563336 for ; Sun, 16 Mar 2025 15:55:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=XBnc7d+O; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-20250316225531deb3fc482dc44b4463-rq2adh@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20250316225531deb3fc482dc44b4463 for ; Sun, 16 Mar 2025 23:55:31 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=o3xtVJ6pRdaTIZrI7im30XBileOZ6Vwe76P1Q38J0oY=; b=XBnc7d+OXlNeck4amITVqa0XZYuIQof2kWGsNTZMbrJg7CCzW9bmWkENMtWcfLIbTjVR9v pRb8L/kY1nXdfCkDnVMuzdFiDk4vb/ZA/O4HHBYUwa1DUrPIFvakCIKq32Mnw0h8yI1qxGBH voCeVqq/Jrw0I312rHRjCJfKQ966bYq4a2E0LUUAc0a3yCGf5Yu6vE6z0RiIkDyH44nsRsFo 5ZA75HsHlnGqXBf//Zpt3xbbvv+5ILw/22Aez9LWAlyxPWhkUjSMw0AWswZNLFxE2/v0ynGp Dp2G2zZKIRWjrC8I2PAiUbO6D7gcJUfykjt9z9bSqUREhU3eaWuYPmwQ==; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-multimedia][PATCH 10/12] sox: patch CVE-2022-31651 Date: Sun, 16 Mar 2025 23:53:56 +0100 Message-Id: <20250316225358.2816208-10-peter.marko@siemens.com> In-Reply-To: <20250316225358.2816208-1-peter.marko@siemens.com> References: <20250316225358.2816208-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 16 Mar 2025 22:55:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/116015 From: Peter Marko Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31651.patch Signed-off-by: Peter Marko --- .../sox/sox/CVE-2022-31651.patch | 36 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31651.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31651.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31651.patch new file mode 100644 index 0000000000..853a69d210 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31651.patch @@ -0,0 +1,36 @@ +From db9641ce748bdfb465fdfa9b7794de2f8da0a249 Mon Sep 17 00:00:00 2001 +From: Helmut Grohne +Date: Sun, 16 Mar 2025 20:08:13 +0100 +Subject: [PATCH] formats: reject implausible rate + +Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31651.patch + +CVE: CVE-2022-31651 +Upstream-Status: Inactive-Upstream [lastrelease: 2015] +Signed-off-by: Peter Marko +--- + src/formats_i.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/formats_i.c b/src/formats_i.c +index 6a7c27e3..5f5ef979 100644 +--- a/src/formats_i.c ++++ b/src/formats_i.c +@@ -70,9 +70,15 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels, + ft->signal.channels = channels; + } + +- if (rate && ft->signal.rate && ft->signal.rate != rate) ++ if (rate && ft->signal.rate && ft->signal.rate != rate) { + lsx_warn("`%s': overriding sample rate", ft->filename); +- else ft->signal.rate = rate; ++ /* Since NaN comparisons yield false, the negation rejects them. */ ++ } else if (!(rate > 0)) { ++ lsx_fail_errno(ft, EINVAL, "invalid rate value"); ++ return SOX_EOF; ++ } else { ++ ft->signal.rate = rate; ++ } + + if (encoding && ft->encoding.encoding && ft->encoding.encoding != encoding) + lsx_warn("`%s': overriding encoding type", ft->filename); diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index e66c10a56d..94072cb35a 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -34,6 +34,7 @@ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://CVE-2021-33844.patch \ file://CVE-2021-40426.patch \ file://CVE-2022-31650.patch \ + file://CVE-2022-31651.patch \ " # last release was in 2015, use latest hash from 2024-05-30 From patchwork Sun Mar 16 22:53:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 59216 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CB3BC35FF3 for ; Sun, 16 Mar 2025 22:55:45 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.web10.39886.1742165736402115729 for ; Sun, 16 Mar 2025 15:55:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=SoZyWbn2; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-256628-202503162255349f19052e5cf8581401-_ejxer@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 202503162255349f19052e5cf8581401 for ; Sun, 16 Mar 2025 23:55:34 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=3plD5DB0OC29KtQu6wu64NgcPG4PKJoIbWLkG6RAUrI=; b=SoZyWbn2jlOk4BQ3itej8VVRMz8feVm5n+f/iWFBHUy1hZtulwVsPzinuYGSyT5SEs4LsQ yWPH2AF3jqD4VCFvb7SVK/iFlkziBeIO45WhxI3pNOoPCquxRHPeX+13EOGAYjGjJM+g1sbx jGjglpKU7dHwBJ12YNSAw5iF//UaO3DIQMvSbBYJrl9aAQzEis3AUYGFxIoEV2EiSVGgM4Kd Jbr1a/Th+r6FFh+5dRLLmYSndGQrZfwZKUehc4rNu8Iqvwbpwlsp3Ig4rOWaN7bf1rYT0WvG 0gPbc3ZDc82uPhP0G+Z39YS+dWR02QAIOR/fLJ47e9bBQ68FtJCCe4mA==; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-multimedia][PATCH 11/12] sox: patch CVE-2023-32627 Date: Sun, 16 Mar 2025 23:53:57 +0100 Message-Id: <20250316225358.2816208-11-peter.marko@siemens.com> In-Reply-To: <20250316225358.2816208-1-peter.marko@siemens.com> References: <20250316225358.2816208-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 16 Mar 2025 22:55:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/116016 From: Peter Marko Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/0028-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch Signed-off-by: Peter Marko --- .../sox/sox/CVE-2023-32627.patch | 30 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2023-32627.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2023-32627.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2023-32627.patch new file mode 100644 index 0000000000..b4e9994eab --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2023-32627.patch @@ -0,0 +1,30 @@ +From b0b7e7fa7a48485c4d6b0ae64bfddedd519716f5 Mon Sep 17 00:00:00 2001 +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Sun, 16 Mar 2025 23:25:15 +0100 +Subject: [PATCH] CVE-2023-32627 Filter null sampling rate in VOC coder + +Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/0028-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch + +CVE: CVE-2023-32627 +Upstream-Status: Inactive-Upstream [lastrelease: 2015] +Signed-off-by: Peter Marko +--- + src/voc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/voc.c b/src/voc.c +index 0ca07f94..d8b982c5 100644 +--- a/src/voc.c ++++ b/src/voc.c +@@ -353,6 +353,11 @@ static size_t read_samples(sox_format_t * ft, sox_sample_t * buf, + v->block_remaining = 0; + return done; + } ++ if(uc == 0) { ++ lsx_fail_errno(ft, EINVAL, "invalid rate value"); ++ v->block_remaining = 0; ++ return done; ++ } + *buf = SOX_UNSIGNED_8BIT_TO_SAMPLE(uc,); + lsx_adpcm_init(&v->adpcm, 6 - v->size, SOX_SAMPLE_TO_SIGNED_16BIT(*buf, ft->clips)); + ++buf; diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index 94072cb35a..7856407c67 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -35,6 +35,7 @@ SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \ file://CVE-2021-40426.patch \ file://CVE-2022-31650.patch \ file://CVE-2022-31651.patch \ + file://CVE-2023-32627.patch \ " # last release was in 2015, use latest hash from 2024-05-30 From patchwork Sun Mar 16 22:53:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 59217 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1C165C35FF1 for ; Sun, 16 Mar 2025 22:55:45 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.39888.1742165741578162775 for ; Sun, 16 Mar 2025 15:55:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=eQpn7/uh; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-202503162255391ed72cc8346724bb2c-a0vd6y@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202503162255391ed72cc8346724bb2c for ; Sun, 16 Mar 2025 23:55:39 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=7nHeVJLlYQg0zjhozsrZ7f9Jh+KRrWxAxFIOewKXjM8=; b=eQpn7/uhNgW1q/N05L0dIlWo6kRN3T3Ic1fz6WUuOpLM9GBWFvjKRvKrMATO4G8nbVv1Rz aj6/qALjY/UThyeObaIdIbKUzhyZHSLSl325xL2H64EkdfrlyJXJakey+sLnNopTv7hQZLTA es2MA1fPr64d41Rpka0nlfYrA5ujFeV0egejDi8gcVA2ydQ0sSGs3mk6S38QLnG/oUfpttby mi5b7AVKw6JYBElJNIvBEb066xhaBg9hz8we4FdBTJhZEqE87LRg0CD5eNI1JDi7ml12SJwJ CnGD4MjphNEIwQKlVvV0mjxll2fvTOSewk0Fz/pJT5Gc11gnqLIE9LtA==; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-multimedia][PATCH 12/12] sox: mark CVE-2023-34432 as patched Date: Sun, 16 Mar 2025 23:53:58 +0100 Message-Id: <20250316225358.2816208-12-peter.marko@siemens.com> In-Reply-To: <20250316225358.2816208-1-peter.marko@siemens.com> References: <20250316225358.2816208-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 16 Mar 2025 22:55:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/116017 From: Peter Marko Patch for CVE-2021-23159 fixes also this CVE. Stated by: * https://security-tracker.debian.org/tracker/CVE-2023-34432 * https://sourceforge.net/p/sox/bugs/367/ Signed-off-by: Peter Marko --- .../sox/sox/CVE-2021-23159_CVE-2021-2317.patch | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch index 472e4bac60..df27cbcd65 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch @@ -7,6 +7,7 @@ Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git2 CVE: CVE-2021-23159 CVE: CVE-2021-23172 +CVE: CVE-2023-34432 Upstream-Status: Inactive-Upstream [lastrelease: 2015] Signed-off-by: Peter Marko ---