Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => lists.jjorge

Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron.

Advisory:
========================

Updated sox packages fix security vulnerabilities:

There is a heap-based buffer overflow in the ImaExpandS function of ima_rw.c in
Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a denial of service
attack during conversion of an audio file (CVE-2017-15370).

There is a reachable assertion abort in the function sox_append_comment() in
formats.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a denial
of service attack during conversion of an audio file (CVE-2017-15371).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15371
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LU6OQGTJOLIFAOPHQI6CPLGMN4KKMLIX/
========================

Updated packages in core/updates_testing:
========================
sox-14.4.1-6.1.mga5
libsox2-14.4.1-6.1.mga5
libsox-devel-14.4.1-6.1.mga5
sox-14.4.2-7.1.mga6
libsox3-14.4.2-7.1.mga6
libsox-devel-14.4.2-7.1.mga6

from SRPMS:
sox-14.4.1-6.1.mga5.src.rpm
sox-14.4.2-7.1.mga6.src.rpm

Whiteboard: MGA6TOO => MGA5TOO
Version: Cauldron => 6
Assignee: lists.jjorge => qa-bugs
CC: (none) => lists.jjorge

MGA5-32 on Dell Latitude D600 Xfce
No installation issues
ref. to bug 14871 for testing
At CLI:
$ play 01\ Wellington\'s\ Sieg.wav 

01 Wellington's Sieg.wav:
 File Size: 149M      Bit Rate: 1.41M
  Encoding: Signed PCM    
  Channels: 2 @ 16-bit   
Samplerate: 44100Hz      
Replaygain: off         
  Duration: 00:14:05.30  
plays OK
$ play 02\ Zapfenstreich.wav 

02 Zapfenstreich.wav:

 File Size: 34.4M     Bit Rate: 1.41M
  Encoding: Signed PCM    
  Channels: 2 @ 16-bit   
Samplerate: 44100Hz      
Replaygain: off         
  Duration: 00:03:14.94  
idem

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

$ uname -a
Linux localhost 4.4.111-desktop-1.mga5 #1 SMP Wed Jan 10 21:54:51 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

$ sox  
sox:      SoX v14.4.1

sox Esther_Garcia_-_Serenade__Franz_Schubert.mp3 serenad.wav

$ play serenad.wav

sounds good to me.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK mga5-64-ok
CC: (none) => brtians1

Mageia 6 :: x86_64

Checked POCs.

Before:

CVE-2017-15370
https://bugzilla.redhat.com/show_bug.cgi?id=1500554
$ sox 02-heap-buffer-over tt.snd
sox WARN wav: Premature EOF on .wav input file
sox FAIL sox: Segmentation fault (core dumped)

CVE-2017-15371
https://bugzilla.redhat.com/show_bug.cgi?id=1500570
$ sox 03-abort out.wav
sox: formats.c:227: sox_append_comment: Assertion `comment' failed.
Aborted (core dumped)

Updated sox...

Afterwards:

$ sox 02-heap-buffer-over tt.snd
sox WARN wav: Premature EOF on .wav input file
$ sox 03-abort out.wav
sox FAIL formats: can't open input file `03-abort': FLAC ERROR whilst decoding metadata

Those results are an improvement and endorse the patches.

$ play StopInTheNameOfLove.flac 

 File Size: 10.6M     Bit Rate: 490k
  Encoding: FLAC          
  Channels: 2 @ 16-bit   Track: 4 of 52
Samplerate: 44100Hz      Album: More Hits by the Supremes
Replaygain: off         Artist: The Supremes
  Duration: 00:02:52.85  Title: Stop! In the Name of Love

$ play HarpConcerto_inBflatmajor.wav

 File Size: 148M      Bit Rate: 1.41M
  Encoding: Signed PCM    
  Channels: 2 @ 16-bit   
Samplerate: 44100Hz      
Replaygain: off         
  Duration: 00:13:57.91  

Playing fine.

Whiteboard: MGA5TOO MGA5-32-OK mga5-64-ok => MGA5TOO MGA5-32-OK mga5-64-ok MGA6-64-OK
CC: (none) => tarazed25

mga6-32 bit

$ uname -a
Linux localhost 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:49:10 UTC 2018 i686 i686 i686 GNU/Linux


The following 2 packages are going to be installed:

- libsox3-14.4.2-7.1.mga6.i586
- sox-14.4.2-7.1.mga6.i586

[brian@localhost test]$ sox -S barber.flac barber.wav

Input File     : 'barber.flac'
Channels       : 2
Sample Rate    : 44100
Precision      : 16-bit
Duration       : 00:07:27.64 = 19740924 samples = 33573 CDDA sectors
File Size      : 34.0M
Bit Rate       : 607k
Sample Encoding: 16-bit FLAC
Comments       : 
Title=Adagio
Artist=Barber
Album=World's Most Beautiful Melodies-Sentimentale (Disc 6 of 6)
Genre=Classical
Tracknumber=11
Date=1999-01-01T00:00:00

In:100%  00:07:27.64 [00:00:00.00] Out:19.7M [      |      ] Hd:3.9 Clip:0    
Done.
[brian@localhost test]$ ls -ltr
-rwx------ 1 brian brian      253 Jan 31 20:20 convert_soxflac_to_mp3.bsh*
-rw------- 1 brian brian 33959078 Jan 31 20:23 barber.flac
-rw-r--r-- 1 brian brian 78963740 Jan 31 20:23 barber.wav
[brian@localhost test]$ mplayer barber.wav
MPlayer 1.3.0-12.mga6.tainted-5.4.0 (C) 2000-2016 MPlayer Team
mplayer: could not connect to socket
mplayer: No such file or directory
Failed to open LIRC support. You will not be able to use your remote control.

Playing barber.wav.

working as designed.

Whiteboard: MGA5TOO MGA5-32-OK mga5-64-ok MGA6-64-OK => MGA5TOO MGA5-32-OK mga5-64-ok MGA6-64-OK mga6-32-ok

I guess we are just waiting for the advisory to be pushed.  It is ready to be validated.

(In reply to Len Lawrence from comment #7)
> I guess we are just waiting for the advisory to be pushed.  It is ready to
> be validated.

You can validate it then.  You don't need to wait for the advisory to be in SVN.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0105.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED