An advisory has been issued today (December 22): http://www.ocert.org/advisories/ocert-2014-010.html Patches are available in upstream git. Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated sox packages fix security vulnerability: The sox command line tool is affected by two heap-based buffer overflows, respectively located in functions start_read() and AdpcmReadBlock(). A specially crafted wav file can be used to trigger the vulnerabilities (CVE-2014-8145). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8145 http://www.ocert.org/advisories/ocert-2014-010.html ======================== Updated packages in core/updates_testing: ======================== sox-14.4.1-3.1.mga4 libsox2-14.4.1-3.1.mga4 libsox-devel-14.4.1-3.1.mga4 from sox-14.4.1-3.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Debian has issued an advisory for this on December 23: https://www.debian.org/security/2014/dsa-3112 I'll add their reference to the advisory. Advisory: ======================== Updated sox packages fix security vulnerability: The sox command line tool is affected by two heap-based buffer overflows, respectively located in functions start_read() and AdpcmReadBlock(). A specially crafted wav file can be used to trigger the vulnerabilities (CVE-2014-8145). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8145 http://www.ocert.org/advisories/ocert-2014-010.html https://www.debian.org/security/2014/dsa-3112
URL: (none) => http://lwn.net/Vulnerabilities/627589/
Testing complete Mageia 4 i586. I don't see a PoC for this, so I just used some commands that use sox to read wav files, with a wav file I have (an old clip of "Welcome to your doom!" from Homestar Runner). $ play welcome.wav # play the audio file (plays fine) $ sox welcome.wav foo.wav stat -v # check how much the volume can be raised 1.026 $ sox -v 1.025 welcome.wav foo.wav # raise the volume $ play foo.wav # play the louder copy (plays fine)
Whiteboard: (none) => MGA4-32-OK has_procedure
Testing on Mageia 4x64 real hardware From current packages : --------------------- sox-14.4.1-3.mga4 lib64sox2-14.4.1-3.mga4 To updated testing packages : --------------------------- - lib64sox2-14.4.1-3.1.mga4.x86_64 - sox-14.4.1-3.1.mga4.x86_64 Tried some commands in each case : $ play Yamaha-SY-35-Clarinet-C5.wav $ play Yamaha-SY-35-Clarinet-C5.wav vol 2 $ sox Yamaha-SY-35-Clarinet-C5.wav Yamaha.ogg $ sox Yamaha-SY-35-Clarinet-C5.wav Yamaha2.wav vol 10db $ sox Yamaha-SY-35-Clarinet-C5.wav Yamaha3.wav vol -6db bass +6 $ sox Yamaha-SY-35-Clarinet-C5.wav -n stat All OK.
CC: (none) => olchalWhiteboard: MGA4-32-OK has_procedure => MGA4-32-OK has_procedure MGA4-64-OK
Validating. Advisory uploaded. Please push to updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-32-OK has_procedure MGA4-64-OK => advisory MGA4-32-OK has_procedure MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0561.html
Status: NEW => RESOLVEDResolution: (none) => FIXED