Re: What to do with sox

To: Enrico Zini <enrico@enricozini.org>
Cc: debian-lts@lists.debian.org
Subject: Re: What to do with sox
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Mon, 27 Jun 2022 17:08:21 +0200
Message-id: <[🔎] 20220627150821.GA7953@inutil.org>
In-reply-to: <[🔎] 20220627140146.43xxjqh3zct2fiux@enricozini.org>
References: <[🔎] 20220627140146.43xxjqh3zct2fiux@enricozini.org>

On Mon, Jun 27, 2022 at 04:01:46PM +0200, Enrico Zini wrote:
> Hello,
> 
> every once in a while I have a look at sox, which has many CVEs open and
> no updates since 3 months, wondering what could be done about it.
> 
> It seems that all the CVEs have reproducers but not patches. Should I
> try to work on patches for some of them? I don't mind doing it but it
> may be nontrivial work, as it may require reading up on the specific
> audio formats involved.
> 
> Otherwise, should the issues that have been without patches for months
> now be tagged with no-dsa for the time being, as most of them are for
> buster and bullseye?

The only relevant open CVE ID for sox is CVE-2021-40426, the other ones
are completely negligible. But it's unclear to which extent CVE-2021-40426
was reported upstream, https://talosintelligence.com/vulnerability_reports/TALOS-2021-1434
mentions "2022-01-14 - Follow up with vendor; vendor acknowledged", but it's
e.g. not found in the existing bug tracker, so I think reporting it in their
tracker with a question of the status of a patch is a sensible first step.
If they state they are too busy, work could resume on writing one.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: What to do with sox
  - From: Enrico Zini <enrico@enricozini.org>

References:
- What to do with sox
  - From: Enrico Zini <enrico@enricozini.org>

Prev by Date: Re: What to do with sox
Next by Date: Re: RFR: openscad update
Previous by thread: Re: ntp warnings with tzdata leap-seconds file
Next by thread: Re: What to do with sox
Index(es):
- Date
- Thread