From 46984c446ed8df635e8966514e023a7b9b8e7628 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Thu, 7 Dec 2023 11:00:54 +0800 Subject: [PATCH] Fix CVE-2021-33844,CVE-2023-32627,CVE-2021-23159,CVE-2023-34432,CVE-2023-34318,CVE-2021-23172,CVE-2021-3643,CVE-2021-23210,CVE-2022-31650,CVE-2023-26590,CVE-2022-31651,CVE-2023-32627,CVE-2017-18189 (cherry picked from commit 0ed405cfa79ab74517f10cb14b828f71e3e3c05f) --- CVE-2017-18189.patch | 27 +++++++++++++++++++++ CVE-2021-23159.patch | 23 ++++++++++++++++++ CVE-2021-33844.patch | 28 ++++++++++++++++++++++ CVE-2021-3643.patch | 27 +++++++++++++++++++++ CVE-2021-40426.patch | 35 +++++++++++++++++++++++++++ CVE-2022-31650.patch | 56 ++++++++++++++++++++++++++++++++++++++++++++ CVE-2022-31651.patch | 32 +++++++++++++++++++++++++ CVE-2023-32627.patch | 31 ++++++++++++++++++++++++ sox.spec | 33 ++++++++++++++++++++++---- 9 files changed, 288 insertions(+), 4 deletions(-) create mode 100644 CVE-2017-18189.patch create mode 100644 CVE-2021-23159.patch create mode 100644 CVE-2021-33844.patch create mode 100644 CVE-2021-3643.patch create mode 100644 CVE-2021-40426.patch create mode 100644 CVE-2022-31650.patch create mode 100644 CVE-2022-31651.patch create mode 100644 CVE-2023-32627.patch diff --git a/CVE-2017-18189.patch b/CVE-2017-18189.patch new file mode 100644 index 0000000..f7375d8 --- /dev/null +++ b/CVE-2017-18189.patch @@ -0,0 +1,27 @@ +A corrupt header specifying zero channels would send read_channels() +into an infinite loop. Prevent this by sanity checking the channel +count in open_read(). Also add an upper bound to prevent overflow +in multiplication. +--- + src/xa.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/xa.c b/src/xa.c +index 81a767720d93..9fc086eca2b2 100644 +--- a/src/xa.c ++++ b/src/xa.c +@@ -143,6 +143,12 @@ static int startread(sox_format_t * ft) + lsx_report("User options overriding rate read in .xa header"); + } + ++ if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) { ++ lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d", ++ ft->signal.channels); ++ return SOX_EOF; ++ } ++ + /* Check for supported formats */ + if (ft->encoding.bits_per_sample != 16) { + lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.", +-- +2.17.0 diff --git a/CVE-2021-23159.patch b/CVE-2021-23159.patch new file mode 100644 index 0000000..ff810ed --- /dev/null +++ b/CVE-2021-23159.patch @@ -0,0 +1,23 @@ +From: Helmut Grohne +Subject: hcom: validate dictsize +Bug: https://sourceforge.net/p/sox/bugs/350/ +Bug: https://sourceforge.net/p/sox/bugs/352/ +Bug-Debian: https://bugs.debian.org/1021133 +Bug-Debian: https://bugs.debian.org/1021134 + +This patch fixes both CVE-2021-23159 and CVE-2021-23172. + +--- a/src/hcom.c ++++ b/src/hcom.c +@@ -134,6 +134,11 @@ + return (SOX_EOF); + } + lsx_readw(ft, &dictsize); ++ if (dictsize == 0 || dictsize > 511) ++ { ++ lsx_fail_errno(ft, SOX_EHDR, "Implausible dictionary size in HCOM header"); ++ return SOX_EOF; ++ } + + /* Translate to sox parameters */ + ft->encoding.encoding = SOX_ENCODING_HCOM; diff --git a/CVE-2021-33844.patch b/CVE-2021-33844.patch new file mode 100644 index 0000000..735ae35 --- /dev/null +++ b/CVE-2021-33844.patch @@ -0,0 +1,28 @@ +From: Helmut Grohne +Subject: wav: reject 0 bits per sample to avoid division by zero +Bug: https://sourceforge.net/p/sox/bugs/349/ +Bug-Debian: https://bugs.debian.org/1021135 + +--- a/src/wav.c ++++ b/src/wav.c +@@ -506,7 +506,7 @@ + unsigned short wChannels; /* number of channels */ + uint32_t dwSamplesPerSecond; /* samples per second per channel */ + uint32_t dwAvgBytesPerSec;/* estimate of bytes per second needed */ +- uint16_t wBitsPerSample; /* bits per sample */ ++ uint16_t wBitsPerSample = 0; /* bits per sample */ + uint32_t wFmtSize; + uint16_t wExtSize = 0; /* extended field for non-PCM */ + +@@ -587,6 +587,11 @@ + lsx_readdw(ft, &dwAvgBytesPerSec); /* Average bytes/second */ + lsx_readw(ft, &(wav->blockAlign)); /* Block align */ + lsx_readw(ft, &wBitsPerSample); /* bits per sample per channel */ ++ if (wBitsPerSample == 0) ++ { ++ lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero"); ++ return SOX_EOF; ++ } + len -= 16; + + if (wav->formatTag == WAVE_FORMAT_EXTENSIBLE) diff --git a/CVE-2021-3643.patch b/CVE-2021-3643.patch new file mode 100644 index 0000000..d7c13e9 --- /dev/null +++ b/CVE-2021-3643.patch @@ -0,0 +1,27 @@ +From: Helmut Grohne +Date: Sat, 11 Nov 2023 18:18:40 +0100 +Subject: voc: word width should never be 0 to avoid division by zero + +Bug: https://sourceforge.net/p/sox/bugs/351/ +Bug-Debian: https://bugs.debian.org/1010374 + +This patch fixes both CVE-2021-3643 and CVE-2021-23210. +--- + src/voc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/voc.c b/src/voc.c +index f026178..f44933d 100644 +--- a/src/voc.c ++++ b/src/voc.c +@@ -614,6 +614,10 @@ static int getblock(sox_format_t * ft) + v->rate = new_rate_32; + ft->signal.rate = new_rate_32; + lsx_readb(ft, &uc); ++ if (uc <= 1) { ++ lsx_fail_errno(ft, SOX_EFMT, "2 bits per word required"); ++ return (SOX_EOF); ++ } + v->size = uc; + lsx_readb(ft, &(v->channels)); + lsx_readw(ft, &(v->format)); /* ANN: added format */ diff --git a/CVE-2021-40426.patch b/CVE-2021-40426.patch new file mode 100644 index 0000000..c1d024b --- /dev/null +++ b/CVE-2021-40426.patch @@ -0,0 +1,35 @@ +From: Helmut Grohne +Date: Sat, 11 Nov 2023 18:18:40 +0100 +Subject: sphere: avoid integer underflow + +Link: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1434 +Bug: https://sourceforge.net/p/sox/bugs/362/ +Bug-Debian: https://bugs.debian.org/1012138 +--- + src/sphere.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/sphere.c b/src/sphere.c +index a3fd1c6..9544d16 100644 +--- a/src/sphere.c ++++ b/src/sphere.c +@@ -63,7 +63,8 @@ static int start_read(sox_format_t * ft) + return (SOX_EOF); + } + +- header_size -= (strlen(buf) + 1); ++ bytes_read = strlen(buf); ++ header_size -= bytes_read >= header_size ? header_size : bytes_read + 1; + + while (strncmp(buf, "end_head", (size_t)8) != 0) { + if (strncmp(buf, "sample_n_bytes", (size_t)14) == 0) +@@ -105,7 +106,8 @@ static int start_read(sox_format_t * ft) + return (SOX_EOF); + } + +- header_size -= (strlen(buf) + 1); ++ bytes_read = strlen(buf); ++ header_size -= bytes_read >= header_size ? header_size : bytes_read + 1; + } + + if (!bytes_per_sample) diff --git a/CVE-2022-31650.patch b/CVE-2022-31650.patch new file mode 100644 index 0000000..c20605b --- /dev/null +++ b/CVE-2022-31650.patch @@ -0,0 +1,56 @@ +From: Helmut Grohne +Date: Sat, 11 Nov 2023 18:18:40 +0100 +Subject: formats+aiff: reject implausibly large number of channels + +Bug: https://sourceforge.net/p/sox/bugs/360/ +Bug-Debian: https://bugs.debian.org/1012516 +--- + src/aiff.c | 5 +++++ + src/formats_i.c | 10 ++++++++-- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/aiff.c b/src/aiff.c +index 11ddb54..1476778 100644 +--- a/src/aiff.c ++++ b/src/aiff.c +@@ -609,6 +609,11 @@ int lsx_aiffstartwrite(sox_format_t * ft) + At 48 kHz, 16 bits stereo, this gives ~3 hours of audio. + Sorry, the AIFF format does not provide for an indefinite + number of samples. */ ++ if (ft->signal.channels >= (0x7f000000 / (ft->encoding.bits_per_sample >> 3))) ++ { ++ lsx_fail_errno(ft, SOX_EOF, "too many channels for AIFF header"); ++ return SOX_EOF; ++ } + return(aiffwriteheader(ft, (uint64_t) 0x7f000000 / ((ft->encoding.bits_per_sample>>3)*ft->signal.channels))); + } + +diff --git a/src/formats_i.c b/src/formats_i.c +index 5e264f8..602e044 100644 +--- a/src/formats_i.c ++++ b/src/formats_i.c +@@ -19,6 +19,7 @@ + */ + + #include "sox_i.h" ++#include + #include + #include + #include +@@ -60,9 +61,14 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels, + if (ft->seekable) + ft->data_start = lsx_tell(ft); + +- if (channels && ft->signal.channels && ft->signal.channels != channels) ++ if (channels && ft->signal.channels && ft->signal.channels != channels) { + lsx_warn("`%s': overriding number of channels", ft->filename); +- else ft->signal.channels = channels; ++ } else if (channels > SHRT_MAX) { ++ lsx_fail_errno(ft, EINVAL, "implausibly large number of channels"); ++ return SOX_EOF; ++ } else { ++ ft->signal.channels = channels; ++ } + + if (rate && ft->signal.rate && ft->signal.rate != rate) + lsx_warn("`%s': overriding sample rate", ft->filename); diff --git a/CVE-2022-31651.patch b/CVE-2022-31651.patch new file mode 100644 index 0000000..b579453 --- /dev/null +++ b/CVE-2022-31651.patch @@ -0,0 +1,32 @@ +From: Helmut Grohne +Date: Sat, 11 Nov 2023 18:18:40 +0100 +Subject: formats: reject implausible rate + +Bug: https://sourceforge.net/p/sox/bugs/360/ +Bug-Debian: https://bugs.debian.org/1012516 +--- + src/formats_i.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/formats_i.c b/src/formats_i.c +index 602e044..63f8797 100644 +--- a/src/formats_i.c ++++ b/src/formats_i.c +@@ -70,9 +70,15 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels, + ft->signal.channels = channels; + } + +- if (rate && ft->signal.rate && ft->signal.rate != rate) ++ if (rate && ft->signal.rate && ft->signal.rate != rate) { + lsx_warn("`%s': overriding sample rate", ft->filename); +- else ft->signal.rate = rate; ++ /* Since NaN comparisons yield false, the negation rejects them. */ ++ } else if (!(rate > 0)) { ++ lsx_fail_errno(ft, EINVAL, "invalid rate value"); ++ return SOX_EOF; ++ } else { ++ ft->signal.rate = rate; ++ } + + if (encoding && ft->encoding.encoding && ft->encoding.encoding != encoding) + lsx_warn("`%s': overriding encoding type", ft->filename); diff --git a/CVE-2023-32627.patch b/CVE-2023-32627.patch new file mode 100644 index 0000000..09389bd --- /dev/null +++ b/CVE-2023-32627.patch @@ -0,0 +1,31 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Sun, 13 Aug 2023 14:14:09 +0000 +Subject: CVE-2023-32627 Filter null sampling rate in VOC coder + +Avoid a divide by zero and out of bound read by rejecting null sampling rate in VOC file + +bug: https://sourceforge.net/p/sox/bugs/369/ +bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=2212282 +bug-debian: https://bugs.debian.org/1041112 +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-32627 +--- + src/voc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/voc.c b/src/voc.c +index f44933d..cad32fa 100644 +--- a/src/voc.c ++++ b/src/voc.c +@@ -351,6 +351,11 @@ static size_t read_samples(sox_format_t * ft, sox_sample_t * buf, + v->block_remaining = 0; + return done; + } ++ if(uc == 0) { ++ lsx_fail_errno(ft, EINVAL, "invalid rate value"); ++ v->block_remaining = 0; ++ return done; ++ } + *buf = SOX_UNSIGNED_8BIT_TO_SAMPLE(uc,); + lsx_adpcm_init(&v->adpcm, 6 - v->size, SOX_SAMPLE_TO_SIGNED_16BIT(*buf, ft->clips)); + ++buf; + diff --git a/sox.spec b/sox.spec index 814d7fe..e9e2192 100644 --- a/sox.spec +++ b/sox.spec @@ -1,6 +1,6 @@ Name: sox Version: 14.4.2.0 -Release: 27 +Release: 29 Summary: A general purpose sound file conversion tool License: GPLv2+ and LGPLv2+ and MIT URL: http://sox.sourceforge.net/ @@ -17,13 +17,29 @@ Patch1003: sox-14.4.2-bug_1510923_fix.patch Patch1004: sox-14.4.2-hcom_stopwrite_big_endian_bug_fix.patch Patch1005: sox-14.4.2-bug_1226675_fix.patch Patch1006: sox-14.4.2-bug_1480678_fix.patch +# - upstream patch: https://sourceforge.net/p/sox/mailman/sox-devel/thread/20180426131552.29249-9-mans@mansr.com/#msg36303839 +Patch1007: CVE-2017-18189.patch +# https://sources.debian.org/src/sox/14.4.2%252Bgit20190427-4/debian/patches/ +Patch1008: CVE-2021-33844.patch +Patch1009: CVE-2023-32627.patch +# CVE-2021-23159 is the same as CVE-2023-34432,CVE-2023-34318,CVE-2021-23172 +Patch1010: CVE-2021-23159.patch +# CVE-2021-3643 is the same as CVE-2021-23210 +Patch1011: CVE-2021-3643.patch +# CVE-2022-31650 is the same as CVE-2023-26590 +Patch1012: CVE-2022-31650.patch +Patch1013: CVE-2022-31651.patch +Patch1014: CVE-2023-32627.patch + +# Tests: Patch9000: sox-14.4.2-installcheck_fix.patch + BuildRequires: gcc, libvorbis-devel, alsa-lib-devel, libtool-ltdl-devel BuildRequires: gsm-devel, wavpack-devel, ladspa-devel, libpng-devel BuildRequires: flac-devel, libao-devel, libsndfile-devel, libid3tag-devel BuildRequires: pulseaudio-libs-devel, opusfile-devel BuildRequires: libtool, libmad-devel, lame-devel, twolame-devel -BuildRequires: python3, time, libsamplerate-devel, git +BuildRequires: python3, time, libsamplerate-devel %description SoX is a cross-platform (Windows, Linux, MacOS X, etc.) command line utility @@ -43,14 +59,14 @@ which will use the SoX sound file format converter. %package_help %prep -%autosetup -n %{name}-downstream-%{name}-%{version}.modified -Sgit -p1 +%autosetup -n %{name}-downstream-%{name}-%{version}.modified -p1 autoreconf -vfi cp ${RPM_SOURCE_DIR}/binpatch.py binpatch.py %build CFLAGS="$RPM_OPT_FLAGS -D_FILE_OFFSET_BITS=64" %configure --without-lpc10 --with-gsm --includedir=%{_includedir}/sox \ - --disable-static --with-distro=openEuler --with-dyn-default + --disable-static --with-distro=%{_vendor} --with-dyn-default make V=1 %{?_smp_mflags} %install @@ -115,6 +131,15 @@ mv $libsox_so.orig $libsox_so %{_mandir}/man3/* %changelog +* Thu Dec 07 2023 wangkai <13474090681@163.com> - 14.4.2.0-29 +- Fix CVE-2021-33844,CVE-2023-32627,CVE-2021-23159,CVE-2023-34432 +- CVE-2023-34318,CVE-2021-23172,CVE-2021-3643,CVE-2021-23210 +- CVE-2022-31650,CVE-2023-26590,CVE-2022-31651,CVE-2023-32627 +- CVE-2017-18189 + +* Fri Jul 30 2021 chenyanpanHW - 14.4.2.0-28 +- DESC: delete -Sgit from %autosetup, and delete BuildRequires git + * Fri Apr 3 2020 duyeyu - 14.4.2.0-27 - Modify configure parameters -- Gitee