Ubuntu has issued an advisory on July 30: https://usn.ubuntu.com/4079-1/ Mageia 6 and Mageia 7 are also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
Assigning to our registered sox maintainer.
CC: (none) => marja11Assignee: bugsquad => lists.jjorge
Status comment: (none) => Patches available from Ubuntu
sox-14.4.2-12.mga8 fixes this bug for cauldron with upstream commits
Status: NEW => ASSIGNED
Removing MGA6 as it is EOL. Suggested advisory: It was discovered that SoX incorrectly handled certain MP3 files. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-8354, CVE-2019-8355, CVE-2019-8356, CVE-2019-8357) Refs: https://sourceforge.net/p/sox/bugs/319/ https://sourceforge.net/p/sox/bugs/320/ https://sourceforge.net/p/sox/bugs/321/ SRPM: sox-14.4.2-12.mga7 RPMS: sox-14.4.2-12.mga7.i586.rpm libsox3-14.4.2-12.mga7.i586.rpm libsox-devel-14.4.2-12.mga7.i586.rpm
Whiteboard: MGA7TOO, MGA6TOO => (none)Assignee: lists.jjorge => qa-bugsCC: (none) => lists.jjorgeVersion: Cauldron => 7
Summary: sox new security issues CVE-2019-835[47] => sox new security issues CVE-2019-835[4-7]Status comment: Patches available from Ubuntu => (none)
Mageia7, x86_64 CVE-2019-8354 https://sourceforge.net/p/sox/bugs/319/ $ sox --single-threaded crash_effect_i_dsp_c_367_heap_buffer_overflow.mp3 -t aiff /dev/null channels 1 rate 16k fade 3 norm sox: effects_i_dsp.c:188: update_fft_cache: Assertion `lsx_is_power_of_2(len)' failed. Aborted (core dumped) https://sourceforge.net/p/sox/bugs/320/ $ sox --single-threaded xmalloc_31_integer_overflow.mp3 -t aiff /dev/null channels 1 rate 16k fade 3 norm <This hung the command-line, loading alternate CPU cores> https://sourceforge.net/p/sox/bugs/321/ $ sox --single-threaded fft4g_721_stack_buffer_overflow.mp3 -t aiff /dev/null channels 1 rate 16k fade 3 norm Segmentation fault (core dumped) Updated the 64-bit packages. $ sox --single-threaded crash_effect_i_dsp_c_367_heap_buffer_overflow.mp3 -t aiff /dev/null channels 1 rate 16k fade 3 norm sox: effects_i_dsp.c:188: update_fft_cache: Assertion `lsx_is_power_of_2(len)' failed. Aborted (core dumped) <As before> $ sox --single-threaded xmalloc_31_integer_overflow.mp3 -t aiff /dev/null channels 1 rate 16k fade 3 norm Segmentation fault (core dumped) <No hangup this time> $ sox --single-threaded fft4g_721_stack_buffer_overflow.mp3 -t aiff /dev/null channels 1 rate 16k fade 3 norm <Finished immediately without errors> So, one no change, one partial success and one apparently successful. Played various music files with formats OGG and MP3 using the play command. FLAC and WAV files fail. $ play AnElizabethanSuite.flac Segmentation fault (core dumped) $ play ASuiteOfTheatreMusic.wav Segmentation fault (core dumped) This does not look good.
CC: (none) => tarazed25
Keywords: (none) => feedback
Noticed something odd. Going back to the mp3 directory play segfaulted on those files as well so something must have been corrupted. A reboot did not cure it so I am removing sox and re-installing. It takes things like k3b, anki and kdeenlive with it.
Re-installed the update candidate and tried again. WAV and FLAC still segfault with play but OGG files are OK. And so are MP3 now.
(In reply to Len Lawrence from comment #6) > Re-installed the update candidate and tried again. WAV and FLAC still > segfault with play but OGG files are OK. And so are MP3 now. Unfortunately, I confirm the update segfaults on wav playing. This goes beyond my packager skills. I have asked upstream why to do no release for years, maybe we'll get one release one day?
Maybe something you can try is a full current git snapshot to see if the segfaults are caused by us missing other patches? It might be useful also to see if the patches from upstream used for this update differ substantially from the ones Ubuntu used.
(In reply to David Walser from comment #8) > Maybe something you can try is a full current git snapshot to see if the > segfaults are caused by us missing other patches? It seems so. I went the git way in cauldron, and wav play does not segfault anymore. I'll wait some time to ensure there are no regressions before pushing this to MGA7.
Assignee: qa-bugs => lists.jjorge
Now we have: sox-14.4.3-0.git20200117.1.mga7 libsox3-14.4.3-0.git20200117.1.mga7 libsox-devel-14.4.3-0.git20200117.1.mga7 from sox-14.4.3-0.git20200117.1.mga7.src.rpm
Keywords: feedback => (none)Assignee: lists.jjorge => qa-bugs
Installed the latest updates and tried play on flac, ogg, wav, mp3 files. No problems so this can be sent on.
Whiteboard: (none) => MGA7-64-OK
Looks like we dodged a bullet there. Well done, Gentlemen! Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0045.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED