Bug#932082: marked as done (sox: CVE-2019-13590)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 09 Feb 2020 10:50:17 +0000
with message-id <E1j0kAL-000FzD-MS@fasolo.debian.org>
and subject line Bug#932082: fixed in sox 14.4.2+git20190427-2
has caused the Debian Bug report #932082,
regarding sox: CVE-2019-13590
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
932082: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932082
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: sox: CVE-2019-13590
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sun, 14 Jul 2019 22:16:46 +0200
• Message-id: <156313540623.27098.8286424452475699156.reportbug@eldamar.local>

Source: sox
Version: 14.4.2+git20190427-1
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/sox/bugs/325/

Hi,

The following vulnerability was published for sox.

CVE-2019-13590[0]:
| An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h
| (startread function), there is an integer overflow on the result of
| integer addition (wraparound to 0) fed into the lsx_calloc macro that
| wraps malloc. When a NULL pointer is returned, it is used without a
| prior check that it is a valid pointer, leading to a NULL pointer
| dereference on lsx_readbuf in formats_i.c.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-13590
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13590
[1] https://sourceforge.net/p/sox/bugs/325/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 932082-close@bugs.debian.org
• Subject: Bug#932082: fixed in sox 14.4.2+git20190427-2
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sun, 09 Feb 2020 10:50:17 +0000
• Message-id: <E1j0kAL-000FzD-MS@fasolo.debian.org>
• Reply-to: Dennis Braun <d_braun@kabelmail.de>

Source: sox
Source-Version: 14.4.2+git20190427-2

We believe that the bug you reported is fixed in the latest version of
sox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 932082@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dennis Braun <d_braun@kabelmail.de> (supplier of updated sox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 09 Feb 2020 11:36:08 +0100
Source: sox
Architecture: source
Version: 14.4.2+git20190427-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Dennis Braun <d_braun@kabelmail.de>
Closes: 932082
Changes:
 sox (14.4.2+git20190427-2) unstable; urgency=medium
 .
   [ Ondřej Nový ]
   * Use debhelper-compat instead of debian/compat
 .
   [ Dennis Braun ]
   * Add patch to fix CVE-2019-13590.
     Thanks to Salvatore Bonaccorso. (Closes: #932082)
   * d/control:
     + Bump dh-compat to 12
     + Bump Standards-Version to 4.5.0
     + Add me as uploader
     + Set RRR: no
Checksums-Sha1:
 3d7718084655c041ab44a0d95966c04169744205 2826 sox_14.4.2+git20190427-2.dsc
 c70b7f29c41651b29ae06ebf9cdc774b3d9bd806 24320 sox_14.4.2+git20190427-2.debian.tar.xz
Checksums-Sha256:
 6b13643b1c4c1b524a80ab49e9ea10814f15fc8b2a64179482ecc1225105b42e 2826 sox_14.4.2+git20190427-2.dsc
 2485bd4e591235630f4004b33675f33c25b194f0655e49f7faa502f6ff79f2c1 24320 sox_14.4.2+git20190427-2.debian.tar.xz
Files:
 fd98f106daf7fa6c94673af323e313c0 2826 sound optional sox_14.4.2+git20190427-2.dsc
 82cbfdf6ee05b67f60dc1dbc9e09bea2 24320 sound optional sox_14.4.2+git20190427-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAl4/4TAACgkQafL8UW6n
GZPdQg//dckAtAEI1Ay/SjFkwBIButkItV4PLV0uMZRFp3UZAKs0pbpuBVbt5LcM
HOLuSB155eBx3oIitcNY2cwgf/E3lQgQH2FJGPEn1iKFaaEGjliSV0uOur9/WUpB
hx6hfQTJYULM62MhartMHwZhG5yzEzvgXtSZi6dhC2VFIgDkEbtM39CP6bDt8hYi
dTO1ODTWIAUPrDoFx1YbPbyIRKxwtduAHPnBAwp6f8ipDPKoNPH61wkfL6D7xldj
JE4qu5pGYfL1wROZCoTj7xKRbLO7Q+3qpyOm4uLTRC2v99EBV4LSqN5oA2XB/R+G
QpnPrAgLT11WJpRPm//6VtuU9J0l6bXbPWUWNaWyUCjcVSkNW2S4yJdWocsyM5YK
ZEza+eCMW1twHt86wYHitKXTd1RUevQKeY5wAKBco/LtiHjFutA1pwVhTmWcuTqE
4+tDd6jq4s9dkSCXuJyTBJ11rKF4kaDLokFZqLVfJ+j+6Kq8vZcZhWN2mF5ZlsoH
ehFuWkCtnAHUWrkZG3uYLX3JwxcavbUnMJQG4HgJ7RzOZpQ5pGJU/AZvMi+qlVH7
0P7aAZg0JzLC9SsZDQNeORU4Rrc+5ix/pv2TP5xd/2x8GP01B2IFLuL75QbDaQpK
7ZkQRVSZuJBBnUkXgSfMRbwEJSTBMEG4Sur+VWi88OSUfba9DLU=
=wTKz
-----END PGP SIGNATURE-----

--- End Message ---