Debian Bug report logs -
#882144
sox: CVE-2017-15642: Use-after-free in lsx_aiffstartread
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Pascal Giard <pascal@debian.org>:
Bug#882144; Package src:sox.
(Sun, 19 Nov 2017 16:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Pascal Giard <pascal@debian.org>.
(Sun, 19 Nov 2017 16:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: sox
Version: 14.4.1-5
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/sox/bugs/298/
Hi,
the following vulnerability was published for sox.
CVE-2017-15642[0]:
| In lsx_aiffstartread in aiff.c in Sound eXchange (SoX) 14.4.2, there is
| a Use-After-Free vulnerability triggered by supplying a malformed AIFF
| file.
The issue can be verified via the poc in the upstream bug.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15642
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15642
[1] https://sourceforge.net/p/sox/bugs/298/
Regards,
Salvatore
Added tag(s) pending.
Request was from Jaromír Mikeš <mira.mikes@seznam.cz>
to control@bugs.debian.org.
(Mon, 20 Nov 2017 12:24:03 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#882144.
(Mon, 20 Nov 2017 12:24:06 GMT) (full text, mbox, link).
Message #10 received at 882144-submitter@bugs.debian.org (full text, mbox, reply):
tag 882144 pending
thanks
Hello,
Bug #882144 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://anonscm.debian.org/git/pkg-multimedia/sox.git/commit/?id=7d4c965
---
commit 7d4c965f7f2e7fb551f835033709b70e98f21021
Author: Jaromír Mikeš <mira.mikes@seznam.cz>
Date: Mon Nov 20 13:21:14 2017 +0100
Update changelog.
diff --git a/debian/changelog b/debian/changelog
index 20efa1f..6bb0342 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,9 @@
sox (14.4.2-2) UNRELEASED; urgency=medium
* Add patch to fix CVE-2017-15372. (Closes: #878808)
+ * Add patch to fix CVE-2017-15642. (Closes: #882144)
- -- Jaromír Mikeš <mira.mikes@seznam.cz> Sun, 19 Nov 2017 15:03:25 +0100
+ -- Jaromír Mikeš <mira.mikes@seznam.cz> Mon, 20 Nov 2017 13:20:59 +0100
sox (14.4.2-1) experimental; urgency=medium
Reply sent
to Jaromír Mikeš <mira.mikes@seznam.cz>:
You have taken responsibility.
(Fri, 24 Nov 2017 09:24:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 24 Nov 2017 09:24:09 GMT) (full text, mbox, link).
Message #15 received at 882144-close@bugs.debian.org (full text, mbox, reply):
Source: sox
Source-Version: 14.4.2-2
We believe that the bug you reported is fixed in the latest version of
sox, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 882144@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jaromír Mikeš <mira.mikes@seznam.cz> (supplier of updated sox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 24 Nov 2017 09:12:48 +0100
Source: sox
Binary: sox libsox3 libsox-fmt-base libsox-fmt-alsa libsox-fmt-ao libsox-fmt-mp3 libsox-fmt-oss libsox-fmt-pulse libsox-fmt-all libsox-dev
Architecture: source
Version: 14.4.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Jaromír Mikeš <mira.mikes@seznam.cz>
Description:
libsox-dev - Development files for the SoX library
libsox-fmt-all - All SoX format libraries
libsox-fmt-alsa - SoX alsa format I/O library
libsox-fmt-ao - SoX Libao format I/O library
libsox-fmt-base - Minimal set of SoX format libraries
libsox-fmt-mp3 - SoX MP2 and MP3 format library
libsox-fmt-oss - SoX OSS format I/O library
libsox-fmt-pulse - SoX PulseAudio format I/O library
libsox3 - SoX library of audio effects and processing
sox - Swiss army knife of sound processing
Closes: 878808 882144 882236
Changes:
sox (14.4.2-2) unstable; urgency=medium
.
* Upload to unstable to start transition.
* Add patch to fix CVE-2017-15372. (Closes: #878808)
* Add patch to fix CVE-2017-15642. (Closes: #882144)
* Add patch to fix CVE-2017-11333 in vorbis lib. (Closes: #882236)
Checksums-Sha1:
b8ab4c36c8ec68dcbcd604bb7391a4180d4f5962 2758 sox_14.4.2-2.dsc
287b90c95ac1cf1e505f302bab797411fc75c7c5 22864 sox_14.4.2-2.debian.tar.xz
f7ff435ee3603350e01fc32ad1d6d549e41fdd7c 12434 sox_14.4.2-2_amd64.buildinfo
Checksums-Sha256:
3fd4152facadfe95b14b2dba9ed273f8b613f9b6e0cc4508a204177480156776 2758 sox_14.4.2-2.dsc
24ae960b7f5f00cb3fca668bbe5ea2d2b4619d953e8914240f5ce28104aa7e0c 22864 sox_14.4.2-2.debian.tar.xz
3f3a36a467db4e4f74003de097a4025c079628c5a118f49a756b3d349b4d3324 12434 sox_14.4.2-2_amd64.buildinfo
Files:
b712e055958a93008d7e87e4da7017fe 2758 sound optional sox_14.4.2-2.dsc
4760968c44056b1600c8897ab66f0a0d 22864 sound optional sox_14.4.2-2.debian.tar.xz
c6d792bdf47b24bb52f3daabc041ff5f 12434 sound optional sox_14.4.2-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEESlQ1E9LfY1GoF46jWwGUVeK4T6UFAloX1kkVHG1pcmEubWlr
ZXNAc2V6bmFtLmN6AAoJEFsBlFXiuE+lK70QALIckxm/FQ43TX6XCwOrRWnrZmAm
YhIbFds7NJCp6yaO5HczrpNZAD9brDVwkU4ZVYohwLK1pqk13hPcyiIPfTM3EG/h
/fXXJ1PQYgGbn+asbzgziP5k0BZBBBxRh4rH2ODKU4w7nlLmu/femJugBRTtpQ6e
rIX4kbUqix1FU88uoIqBXPRUrHsrhmQqcmzeVDCuM9Tuy6GoHQ/MzDfYbEOmNdd/
wnKQsIH/1zBm85y/+1DwT9C0X4eO8eEno1aLi6zKtVobZorhv/pT0oPmo8mamEqH
T2Bfw6fObGC8Ef+WBxMvU6NZVdM+FDmO1CfPMNDuJ5fIv5Ii3702o2qBSvlk6/2s
CslJlqUGmU4/ZY+6XgnY++qPdp32GszhwV8P7cPT+8LSXc3DbTdELhyu2cRVampn
+Xu1HPk06OpjHNOGng/v7bjrYbOrTqZUBqg8WHh9a6it8akOTGcAWXrL62tfrAOV
9iGJTQ5N5+DhxGkAg7O5S2NpSzWe0eghS/MHYMZ+aCWxxsIa3NErVjVTwPC1pP2p
uPrTPSJObvKiSOTbZPTpdENa+Q8KZe4TRM6T1EgxXFYEGKtutlnLZIcJDFfsb6DH
MoVnaldrWM8SKUiB8MBHLsy7FPiFSRs9LnwcRJ0r6c5ZcSs9IH7kJ4ISuAHCAKjX
eOIGe9+bUP25VbHk
=KDL4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 21 Jan 2018 07:28:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:12:00 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon