Bug#1012516: marked as done (sox: CVE-2022-31650 CVE-2022-31651)
Your message dated Fri, 03 Feb 2023 09:51:16 +0000
with message-id <E1pNsiy-00HJI2-QT@fasolo.debian.org>
and subject line Bug#1012516: fixed in sox 14.4.2+git20190427-3.1
has caused the Debian Bug report #1012516,
regarding sox: CVE-2022-31650 CVE-2022-31651
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1012516: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012516
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: sox: CVE-2022-31650 CVE-2022-31651
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Wed, 8 Jun 2022 17:55:04 +0200
- Message-id: <YqDGWDyWfL9WDnJ0@pisco.westfalen.local>
Source: sox
X-Debbugs-CC: team@security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerabilities were published for sox.
CVE-2022-31650[0]:
| In SoX 14.4.2, there is a floating-point exception in
| lsx_aiffstartwrite in aiff.c in libsox.a.
CVE-2022-31651[1]:
| In SoX 14.4.2, there is an assertion failure in rate_init in rate.c in
| libsox.a.
https://sourceforge.net/p/sox/bugs/360/
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31650
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31650
[1] https://security-tracker.debian.org/tracker/CVE-2022-31651
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31651
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: sox
Source-Version: 14.4.2+git20190427-3.1
Done: Helmut Grohne <helmut@subdivi.de>
We believe that the bug you reported is fixed in the latest version of
sox, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1012516@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Helmut Grohne <helmut@subdivi.de> (supplier of updated sox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 03 Feb 2023 10:21:33 +0100
Source: sox
Architecture: source
Version: 14.4.2+git20190427-3.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Helmut Grohne <helmut@subdivi.de>
Closes: 933372 1010374 1012138 1012516 1021133 1021134 1021135
Changes:
sox (14.4.2+git20190427-3.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix some resource leaks.
* Fix regression in hcom reader introduced via CVE-2017-11358. (Closes:
#933372)
* Enable test suite.
* Fix CVE-2021-3643 and CVE-2021-23210: voc validation (Closes: #1010374)
* Fix CVE-2021-23159 and CVE-2021-23172: hcom validation
(Closes: #1021133, #1021134)
* Fix CVE-2021-33844: wav validation (Closes: #1021135)
* Fix CVE-2021-40426: sphere validation (Closes: #1012138)
* Fix CVE-2022-31650: aiff validation (Closes: #1012516)
* Fix CVE-2022-31651: reject implausible rate (Closes: #1012516)
* Fix CVE-unasssigned: integer overflow
* Silence dh_missing
* Add an autopkgtest
Checksums-Sha1:
e2bfc26379a8a491e590ab1af486a632757bb48f 2898 sox_14.4.2+git20190427-3.1.dsc
f8d6a4f30e1cc2d89340b86b0d28c7f33ff2226a 27384 sox_14.4.2+git20190427-3.1.debian.tar.xz
54fe55e9c1753a1a1732513bc035901f28c6182c 13860 sox_14.4.2+git20190427-3.1_amd64.buildinfo
Checksums-Sha256:
aec695f99d89e611226b0960407c8cd32e6e27d28f6e1cb1beaac2f67b0f227f 2898 sox_14.4.2+git20190427-3.1.dsc
17b7da679664821cac7a68c87a0d955d0b9b156129d88e1539b7100d55b2eceb 27384 sox_14.4.2+git20190427-3.1.debian.tar.xz
45152ba130add53407d2ff9065ae55836e69f128809a5e399caeb0c948aac7c0 13860 sox_14.4.2+git20190427-3.1_amd64.buildinfo
Files:
05def8077065c9b52205f750c8d3d790 2898 sound optional sox_14.4.2+git20190427-3.1.dsc
7d9c2e7b6888b5b7059ca0278caf02c1 27384 sound optional sox_14.4.2+git20190427-3.1.debian.tar.xz
69ace3b8afa173335571506aa9445456 13860 sound optional sox_14.4.2+git20190427-3.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETMLS2QqNFlTb+HOqLRqqzyREREIFAmPc03EACgkQLRqqzyRE
RELs2Q//V6XWmh1uM5obUH/07cvcnk1dkhpFsM4PFPyMZstvlrGrTWXWr5VIjGLE
y2TSbdvyZOQ+U845vnm7kCLaCjFvH7AajaASflacaFkXKwlSaeeuXlDfDRNwAFM/
ynXM6MaeECOljaergG++ym4LZmFlo5B19Db8SNT9PG/hs7WL+ZS4AE8VOV/x4uEN
0PSZ9WFGS6p/+0Sqn6IebBU3bHJrH5e1qHlIg2fRz1JX6/q6K3eov5igr9Pg8dz3
MlV6R8KoYRhSv/VPsqxNX0PMzCG22eAB19siHCSNFLfu+FLofTVz5v3QzhT2n+m/
KCt61WxDrChLKlk/h6gDSAZZw3RgjJwBRZCZzKlWLTbD5KfcMSpw6ZO37aIStaQR
7wVCVoSz7MraYY/ViYZx8A649Wf5ZTb4npAgXecM9wD7/fsyj3ZxxIa4Bo8KHtgO
pk0kwYjWmBryrF1+x2ONApc4HNlFAb/j2vq+WVlBPayBkvpFCYO1jFCsLemI3Scq
3KVTPZMr+6Btk2FV6RGWHRYn+6IHjf4rtKZlnXjAkvp1iMQ5TmhANuj2l73HoHT2
n4qE5LR5ClRB0zGNjEDqu5UoLKSeM+ROBsV038GGRetr5X/yyAIqnR4p5FFqQb5S
0kE5AwE6ulwb+vR2LpJf/KU7HoR6FL+F0h0GPd/PzxZiSxbHaM0=
=smDQ
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: