Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 650
    • Issues 650
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 171
    • Merge Requests 171
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #10522

Closed
Open
Opened May 31, 2019 by Alicha CH@alichaReporter
  • Report abuse
  • New issue
Report abuse New issue

sox: Multiple vulnerabilities (CVE-2019-8354, CVE-2019-8355, CVE-2019-8356, CVE-2019-8357)

CVE-2019-8354: An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer
overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected,
leading to a heap-based buffer overflow.

Reference:

https://sourceforge.net/p/sox/bugs/319

Patch:

https://sourceforge.net/p/sox/code/ci/f8587e2d50dad72d40453ac1191c539ee9e50381/

CVE-2019-8355: An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of
multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected,
leading to a heap-based buffer overflow in channels_start in remix.c.

Reference:

https://sourceforge.net/p/sox/bugs/320

Patch:

https://sourceforge.net/p/sox/code/ci/f8587e2d50dad72d40453ac1191c539ee9e50381/

CVE-2019-8356: An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that
it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.

Reference:

https://sourceforge.net/p/sox/bugs/321

Patch:

https://sourceforge.net/p/sox/code/ci/b7883ae1398499daaa926ae6621f088f0f531ed8/

CVE-2019-8357: An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.

Reference:

https://sourceforge.net/p/sox/bugs/318

Patch:

https://sourceforge.net/p/sox/code/ci/2ce02fea7b350de9ddfbcf542ba4dd59a8ab255b/

(from redmine: issue id 10522, created on 2019-05-31)

  • Relations:
    • child #10523 (closed)
    • child #10524 (closed)
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
3
Labels
Normal tag:security type:bug
Assign labels
  • View project labels
Reference: alpine/aports#10522