On Wed, Mar 15, 2017 at 10:15:50PM +0900, Mark Fletcher wrote:
> On Wed, Mar 15, 2017 at 07:30:57AM -0500, Martin McCormick wrote:
> > This is a tale of two systems. One is a wheezy
> > installation and it's version of sox handles mp3 files nicely. It
> > can create them and appears to allow one to edit them. The
> > listing for /usr/bin/sox shows a size of somewhat above 63 KB and
> > a creation date of Dec 22 in 2014.
> >
> > A second system is running jessie. It's version of
> > /usr/bin/sox is slightly larger than 67 K and has a creation date of
> > December 24, 2014.
> >
> So wheezy's and Jessie's are 2 days apart? That doesn't sound right.
> Maybe the wheezy one _was_ recompiled... Although I'm at a loss to
> explain how that could happen without you, as the owner of the box,
> knowing about it...
Entirely possible if the same security issue happened upstream
and was fixed in wheezy and jessie.
The changelog says:
sox (14.4.0-3+deb7u1) wheezy-security; urgency=high
* Patches to fix memory corruptions on the heap, CVE-2014-8145
(closes: #773720):
+ 0001-Check-for-minimum-size-sphere-headers.patch
+ 0002-More-checks-for-invalid-MS-ADPCM-blocks.patch
-- Pascal Giard <pas...@debian.org> Mon, 22 Dec 2014 12:25:43
-0500
So, yes, I think that's what happened.
-dsr-
