Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package sox
Version 14.4.1-5 addresses DSA-3112-1. A specially crafted wav file
could cause an application using SoX to crash or, possibly, execute ar
bitrary code.
Please see attached file for the debdiff against the package in testing.
Please,
unblock sox/14.4.1-5
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.utf8, LC_CTYPE=fr_CA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
--
Homepage (http://organact.mine.nu)
Debian GNU/Linux (http://www.debian.org)
COMunité/LACIME: École de technologie supérieure (http://www.comunite.ca)
ISIP Laboratory: McGill (http://www.isip.ece.mcgill.ca)
diff -Nru sox-14.4.1/debian/changelog sox-14.4.1/debian/changelog
--- sox-14.4.1/debian/changelog 2014-05-21 22:09:53.000000000 -0400
+++ sox-14.4.1/debian/changelog 2014-12-24 14:40:04.000000000 -0500
@@ -1,3 +1,12 @@
+sox (14.4.1-5) unstable; urgency=medium
+
+ * Patches to fix memory corruptions on the heap, CVE-2014-8145
+ (closes: #773720):
+ + 0001-Check-for-minimum-size-sphere-headers.patch
+ + 0002-More-checks-for-invalid-MS-ADPCM-blocks.patch
+
+ -- Pascal Giard <pas...@debian.org> Wed, 24 Dec 2014 14:33:55 -0500
+
sox (14.4.1-4) unstable; urgency=low
* [debian/rules,debian/control]:
diff -Nru
sox-14.4.1/debian/patches/0001-Check-for-minimum-size-sphere-headers.patch
sox-14.4.1/debian/patches/0001-Check-for-minimum-size-sphere-headers.patch
--- sox-14.4.1/debian/patches/0001-Check-for-minimum-size-sphere-headers.patch
1969-12-31 19:00:00.000000000 -0500
+++ sox-14.4.1/debian/patches/0001-Check-for-minimum-size-sphere-headers.patch
2014-12-24 14:32:59.000000000 -0500
@@ -0,0 +1,14 @@
+--- src/sphere.c.old
++++ src/sphere.c
+@@ -47,6 +47,11 @@ static int start_read(sox_format_t * ft)
+
+ /* Determine header size, and allocate a buffer large enough to hold it. */
+ sscanf(fldsval, "%lu", &header_size_ul);
++ if (header_size_ul < 16) {
++ lsx_fail_errno(ft, SOX_EHDR, "Error reading Sphere header");
++ return (SOX_EOF);
++ }
++
+ buf = lsx_malloc(header_size = header_size_ul);
+
+ /* Skip what we have read so far */
diff -Nru
sox-14.4.1/debian/patches/0002-More-checks-for-invalid-MS-ADPCM-blocks.patch
sox-14.4.1/debian/patches/0002-More-checks-for-invalid-MS-ADPCM-blocks.patch
---
sox-14.4.1/debian/patches/0002-More-checks-for-invalid-MS-ADPCM-blocks.patch
1969-12-31 19:00:00.000000000 -0500
+++
sox-14.4.1/debian/patches/0002-More-checks-for-invalid-MS-ADPCM-blocks.patch
2014-12-24 14:32:59.000000000 -0500
@@ -0,0 +1,11 @@
+--- src/wav.c.old
++++ src/wav.c
+@@ -166,7 +166,7 @@ static unsigned short AdpcmReadBlock(sox_format_t * ft)
+ /* work with partial blocks. Specs say it should be null */
+ /* padded but I guess this is better than trailing quiet. */
+ samplesThisBlock = lsx_ms_adpcm_samples_in((size_t)0,
(size_t)ft->signal.channels, bytesRead, (size_t)0);
+- if (samplesThisBlock == 0)
++ if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock)
+ {
+ lsx_warn("Premature EOF on .wav input file");
+ return 0;
