Headline
Debian Security Advisory 5356-1
Debian Linux Security Advisory 5356-1 - Multiple security issues were discovered in Sox, the Swiss Army knife of sound processing programs, which could result in denial of service or potentially the execution of arbitrary code if a malformed audio file is processed.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Debian Security Advisory DSA-5356-1 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
February 20, 2023 https://www.debian.org/security/faq
Package : sox
CVE ID : CVE-2021-3643 CVE-2021-23159 CVE-2021-23172 CVE-2021-23210
CVE-2021-33844 CVE-2021-40426 CVE-2022-31650 CVE-2022-31651
Debian Bug : 1010374 1012138 1012516 1021133 1021134 1021135
Multiple security issues were discovered in Sox, the Swiss Army knife of
sound processing programs, which could result in denial of service or
potentially the execution of arbitrary code if a malformed audio file
is processed.
For the stable distribution (bullseye), these problems have been fixed in
version 14.4.2+git20190427-2+deb11u1.
We recommend that you upgrade your sox packages.
For the detailed security status of sox please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sox
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPzxOgACgkQEMKTtsN8
TjYaEhAAlz/kw36CztzPYWoje596qLuQKtTWW6AHLRvE1jOcum2ymDmEqePfjg+b
HXQPGGhU8Fd6StyXFnqrCW7pvrhcIcQNYZfUqvTcmIlOTdumyZxpoIBaRIk7m68H
MFd7o0Nc7/fJpHyAw4Oobn+kyZj1Tf3uoiHrqZS45RUG02jIIKV+7rkYxE7qIzHi
HiS9IBIpeBGljQ4RyLZ+eyNNQuF+7X7Ep29aym6l2nsOSHkDZETvpHKj+4TrMPvZ
QLQJ3hrbPoTIHQtsWWbDX8WD3NwXOBRCXwxIOlnXhjiFN5Toc7x0YB0mTdzmXYQ8
LWex4xDYtM/tJE4oipCV3/iD/c/d9Q3F0y1ielQeVuA6YEdTkLp1RoBUkMeWhXIy
LoDjmOdzNIHPX/8EfPSup83Adwv7Py8g7ZbNWj/FRhUjtpP8j54TD8y3uHQkPmoN
E6UXylMOkckcIO/RjrbNLCWhvtJ3xgTwWZCGurbkA4okVvXvOyS6h+A77OW5CkDq
Xh3hRlsHjsvhjJc5J504r0r4fBulfkrnegoDJEzl9LvPIFtXmx6HZlkVuzMam30o
7neR5Rw2cPd8l0uMsJXevW6xBMB42eAUXd2bhmw7iXNUIOVxZaGMspgHxhI8dkSb
GxmPtBNaUQqtcqSRTzSoKVqkD/rarnjUnMStvxeGd6X1PUU7qJw=+n6U
-----END PGP SIGNATURE-----
Related news
Ubuntu Security Notice 5904-2 - USN-5904-1 fixed vulnerabilities in SoX. It was discovered that the fix for CVE-2021-33844 was incomplete. This update fixes the problem. Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS.
Ubuntu Security Notice 5904-1 - Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.
A floating point exception (divide-by-zero) issue was discovered in SoX in functon read_samples() of voc.c file. An attacker with a crafted file, could cause an application to crash.
A floating point exception (divide-by-zero) issue was discovered in SoX in functon startread() of wav.c file. An attacker with a crafted wav file, could cause an application to crash.
A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function lsx_read_w_buf() in formats_i.c file. The vulnerability is exploitable with a crafted file, that could cause an application to crash.
A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function startread() in hcom.c file. The vulnerability is exploitable with a crafted hcomn file, that could cause an application to crash.
In SoX 14.4.2, there is an assertion failure in rate_init in rate.c in libsox.a.
A flaw was found in sox 14.4.1. The lsx_adpcm_init function within libsox leads to a global-buffer-overflow. This flaw allows an attacker to input a malicious file, leading to the disclosure of sensitive information.
A heap-based buffer overflow vulnerability exists in the sphere.c start_read() functionality of Sound Exchange libsox 14.4.2 and master commit 42b3557e. A specially-crafted file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.