Debian 10260 Published by

A sox security update has been released for Debian GNU/Linux 10 LTS to address multiple file format validation vulnerabilities.



DLA 3315-1: sox security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3315-1 debian-lts@lists.debian.org
  https://www.debian.org/lts/security/ Helmut Grohne
February 10, 2023   https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : sox
Version : 14.4.2+git20190427-1+deb10u1
CVE ID : CVE-2019-13590 CVE-2021-3643 CVE-2021-23159 CVE-2021-23172
CVE-2021-23210 CVE-2021-33844 CVE-2021-40426 CVE-2022-31650
CVE-2022-31651
Debian Bug : 933372 1010374 1012138 1012516 1021133 1021134 1021135

This update fixes multiple file format validation vulnerabilities that could
result in memory access violations such as buffer overflows and floating point
exceptions. It also fixes a regression in hcom parsing introduced when fixing
CVE-2017-11358.

CVE-2019-13590

In sox-fmt.h (startread function), there is an integer overflow on the
result of integer addition (wraparound to 0) fed into the lsx_calloc macro
that wraps malloc. When a NULL pointer is returned, it is used without a
prior check that it is a valid pointer, leading to a NULL pointer
dereference on lsx_readbuf in formats_i.c.

CVE-2021-3643

The lsx_adpcm_init function within libsox leads to a
global-buffer-overflow. This flaw allows an attacker to input a malicious
file, leading to the disclosure of sensitive information.

CVE-2021-23159

A vulnerability was found in SoX, where a heap-buffer-overflow occurs
in function lsx_read_w_buf() in formats_i.c file. The vulnerability is
exploitable with a crafted file, that could cause an application to
crash.

CVE-2021-23172

A vulnerability was found in SoX, where a heap-buffer-overflow occurs
in function startread() in hcom.c file. The vulnerability is
exploitable with a crafted hcomn file, that could cause an application
to crash.

CVE-2021-23210

A floating point exception (divide-by-zero) issue was discovered in
SoX in functon read_samples() of voc.c file. An attacker with a
crafted file, could cause an application to crash.

CVE-2021-33844

A floating point exception (divide-by-zero) issue was discovered in
SoX in functon startread() of wav.c file. An attacker with a crafted
wav file, could cause an application to crash.

CVE-2021-40426

A heap-based buffer overflow vulnerability exists in the sphere.c
start_read() functionality of Sound Exchange libsox. A specially-crafted
file can lead to a heap buffer overflow. An attacker can provide a
malicious file to trigger this vulnerability.

CVE-2022-31650

There is a floating-point exception in lsx_aiffstartwrite in aiff.c.

CVE-2022-31651

There is an assertion failure in rate_init in rate.c.

For Debian 10 buster, these problems have been fixed in version
14.4.2+git20190427-1+deb10u1.

We recommend that you upgrade your sox packages.

For the detailed security status of sox please refer to
its security tracker page at:
  https://security-tracker.debian.org/tracker/sox

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS