TALOS has issued an advisory on March 23: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1434 It doesn't sound like a fix is available yet. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
sox has suffered little maintenance over time, by different people; so assigning this globally.
Assignee: bugsquad => pkg-bugs
Patches for this issue, and others, have been posted: https://www.openwall.com/lists/oss-security/2023/02/03/3 It required (and probably still requires) further work: https://www.openwall.com/lists/oss-security/2023/02/05/1 We can pull whatever ends up in Debian once this work is done.
Summary: sox new security issue CVE-2021-40426 => sox new security issues CVE-2021-3643, CVE-2021-23159, CVE-2021-3165[01], CVE-2021-33844, CVE-2021-40426
Debian-LTS has issued an advisory for this today (February 10): https://www.debian.org/lts/security/2023/dla-3315 Including fixes for some additional CVEs as well.
Summary: sox new security issues CVE-2021-3643, CVE-2021-23159, CVE-2021-3165[01], CVE-2021-33844, CVE-2021-40426 => sox new security issues CVE-2019-13590, CVE-2021-3643, CVE-2021-23159, CVE-2021-23172, CVE-2021-23210, CVE-2021-33844, CVE-2021-40426, CVE-2022-3165[01]
So done first for Cauldron: CVE-2019-13590 and CVE-2021-33844 are already fixed upstream as of our git snapshot from 20210509. Added debian patches to fix several security issues: * Fix CVE-2021-3643 and CVE-2021-23210: voc validation * Fix CVE-2021-23159 and CVE-2021-23172: hcom validation * Fix CVE-2021-40426: sphere validation * Fix CVE-2022-31650: aiff validation * Fix CVE-2022-31651: reject implausible rate
CC: (none) => geiger.david68210
Done also for mga8: Added debian patches to fix several security issues: * Fix CVE-2019-13590: sox-fmt validation * Fix CVE-2021-3643 and CVE-2021-23210: voc validation * Fix CVE-2021-23159 and CVE-2021-23172: hcom validation * Fix CVE-2021-33844: wav validation * Fix CVE-2021-40426: sphere validation * Fix CVE-2022-31650: aiff validation * Fix CVE-2022-31651: reject implausible rate
sox-14.4.3-0.git20200117.3.1.mga8 libsox3-14.4.3-0.git20200117.3.1.mga8 libsox-devel-14.4.3-0.git20200117.3.1.mga8 from sox-14.4.3-0.git20200117.3.1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 8
MGA8-64 MATE on Acer Aspire 5253 No installation issues Ref bug 25289 for testing $ play 05Upsa\ Zweuds.wav 05Upsa Zweuds.wav: File Size: 34.3M Bit Rate: 1.41M Encoding: Signed PCM Channels: 2 @ 16-bit Samplerate: 44100Hz Replaygain: off Duration: 00:03:14.61 In:100% 00:03:14.61 [00:00:00.00] Out:8.58M [ | ] Clip:0 Done. played OK. $ play kant1.mp3 kant1.mp3: File Size: 21.5M Bit Rate: 128k Encoding: MPEG audio Channels: 2 @ 16-bit Samplerate: 44100Hz Album: De Strangers 143 beste Replaygain: off Artist: De Strangers Duration: 00:22:25.75 Title: kant1 In:20.6% 00:04:37.25 [00:17:48.50] Out:12.2M [ -=|==- ] Clip:0 Aborted. I stopped the playback with Ctrl-C, hence the "Aborted" Played OK. $ play 05\ -\ unknown\ 5\ -\ Sound\ the\ pibroch.ogg 05 - unknown 5 - Sound the pibroch.ogg: File Size: 4.67M Bit Rate: 118k Encoding: Vorbis Channels: 2 @ 16-bit Track: 05 Samplerate: 44100Hz Replaygain: off Duration: 00:05:15.99 Title: Sound the pibroch In:100% 00:05:15.99 [00:00:00.00] Out:13.9M [ | ] Clip:0 Done. Played OK $ play 24\ The\ Last\ Rose\ of\ Summer.m4a play FAIL formats: no handler for file extension `m4a' Googled on sox and m4a, and found issues with this file format for more than 10 years. Left with the impression this has never worked. If someone else can jump in for other formats, I will agree on the OK.
CC: (none) => herman.viaene
$ uname -a Linux localhost 6.1.6-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Jan 14 13:18:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux The following 2 packages are going to be installed: - lib64sox3-14.4.3-0.git20200117.3.1.mga8.x86_64 - sox-14.4.3-0.git20200117.3.1.mga8.x86_64 81B of disk space will be freed. 384KB of packages will be retrieved. -- $ sox --help sox: SoX v14.4.2 ...... $ sox -S '01 - Late.flac' 'late.wav' Input File : '01 - Late.flac' Channels : 2 Sample Rate : 44100 Precision : 16-bit Duration : 00:03:18.58 = 8757597 samples = 14893.9 CDDA sectors File Size : 14.6M Bit Rate : 588k Sample Encoding: 16-bit FLAC Comments : TITLE=Late TRACKNUMBER=1 TRACKTOTAL=1 TOTALTRACKS=1 TOTALDISCS=1 DISCTOTAL=1 ARTIST=Nils Frahm ALBUM=Late ALBUMARTIST=Nils Frahm GENRE=Classical DATE=2021-11-18T00:00:00.000Z ORGANIZATION=LEITER Verlag GmbH Co KG PUBLISHER=LEITER Verlag GmbH Co KG COPYRIGHT=© 2021 LEITER Verlag GmbH & Co. KG, in cooperation with BMG Rights Management GmbH ISRC=DELV42100516 UPC=4050538764215 COMPOSER=Nils Frahm ENGINEER=Andreas Kauffelt, Zino Mikorey In:100% 00:03:18.58 [00:00:00.00] Out:8.76M [ | ] Clip:0 Done. $ play late.wav late.wav: File Size: 35.0M Bit Rate: 1.41M Encoding: Signed PCM Channels: 2 @ 16-bit Samplerate: 44100Hz Replaygain: off Duration: 00:03:18.58 In:5.99% 00:00:11.89 [00:03:06.70] Out:524k [ ==|=- ] Clip:0 ... yada yada yada I went ahead and ran lame to see if it detected any anomalies $ lame -V4 late.wav late.mp3 LAME 3.100 64bits (http://lame.sf.net) Using polyphase lowpass filter, transition band: 17249 Hz - 17782 Hz Encoding late.wav to late.mp3 Encoding as 44.1 kHz j-stereo MPEG-1 Layer III VBR(q=4) Frame | CPU time/estim | REAL time/estim | play/CPU | ETA 7604/7604 (100%)| 0:01/ 0:01| 0:01/ 0:01| 118.21x| 0:00 32 [ 1] * 40 [ 0] 48 [ 0] 56 [ 0] 64 [ 0] 80 [ 0] 96 [ 0] 112 [ 0] 128 [4666] %%%%%%%%%%%%%%%%%%%%%%%%%%********************************************************************************************************** 160 [2930] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%****************************************************** 192 [ 2] % 224 [ 3] % 256 [ 1] % 320 [ 1] % ----------------------------------------------------------------------------------------------------------------------------------------------- kbps LR MS % long switch short % 140.4 25.3 74.7 99.9 0.1 0.0 Writing LAME Tag...done ReplayGain: +6.9dB --- seemed happy Well this is how I use this util. Works for me.
CC: (none) => brtians1
Since no one else jumped in and the positivee comments of Brian, giving the OK.
Whiteboard: (none) => MGA8-64-OK
Thank you, Gentlemen. Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0059.html
Status: NEW => RESOLVEDResolution: (none) => FIXED