Bug#1032933: unblock: sox/14.4.2+git20190427-3.5
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: sox@packages.debian.org, security@debian.org
Control: affects -1 + src:sox
Please unblock package sox
[ Reason ]
I recently performed a security update of sox in unstable and that
happened to migrate to testing. Now it was reported (#1032082) that sox
would no longer be able to parse WAV GSM files. This turns out to be a
regression in my fix for CVE-2021-33844. The .5 upload fixes this
regression and adds a test case.
[ Impact ]
sox will be able to parse WAV GSM files again.
[ Tests ]
The patch adds a test case to the upstream test suite.
[ Risks ]
The diff is short, but the original change was believed not to be risky
already and it turned out to be bad, so keep the fingers crossed. I
appreciate if someone actually reviews the change to avoid me looking
bad again.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
The bug was backported to stable and oldstable. We plan to update them
via a regression DSA and a regression DLA. SRM involvement not needed.
unblock sox/14.4.2+git20190427-3.5
Helmut
diff --minimal -Nru sox-14.4.2+git20190427/debian/changelog sox-14.4.2+git20190427/debian/changelog
--- sox-14.4.2+git20190427/debian/changelog 2023-02-07 22:21:09.000000000 +0100
+++ sox-14.4.2+git20190427/debian/changelog 2023-03-12 10:07:49.000000000 +0100
@@ -1,3 +1,11 @@
+sox (14.4.2+git20190427-3.5) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix regression in wav-gsm decodeing introduced via fixing CVE-2021-33844.
+ (Closes: #1032082)
+
+ -- Helmut Grohne <helmut@subdivi.de> Sun, 12 Mar 2023 10:07:49 +0100
+
sox (14.4.2+git20190427-3.4) unstable; urgency=medium
* Non-maintainer upload.
diff --minimal -Nru sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch
--- sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch 2023-01-28 19:34:07.000000000 +0100
+++ sox-14.4.2+git20190427/debian/patches/CVE-2021-33844.patch 2023-03-12 10:07:49.000000000 +0100
@@ -14,15 +14,22 @@
uint32_t wFmtSize;
uint16_t wExtSize = 0; /* extended field for non-PCM */
-@@ -587,6 +587,11 @@
- lsx_readdw(ft, &dwAvgBytesPerSec); /* Average bytes/second */
- lsx_readw(ft, &(wav->blockAlign)); /* Block align */
- lsx_readw(ft, &wBitsPerSample); /* bits per sample per channel */
-+ if (wBitsPerSample == 0)
-+ {
-+ lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero");
-+ return SOX_EOF;
-+ }
- len -= 16;
+@@ -954,6 +959,11 @@
+ break;
- if (wav->formatTag == WAVE_FORMAT_EXTENSIBLE)
+ default:
++ if (ft->encoding.bits_per_sample == 0)
++ {
++ lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero");
++ return SOX_EOF;
++ }
+ wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample) / ft->signal.channels;
+ ft->signal.length = wav->numSamples * ft->signal.channels;
+ }
+--- a/src/testall.sh
++++ b/src/testall.sh
+@@ -67,3 +67,4 @@
+ t vox -r 8130
+ t wav
+ t wve
++t wav -e gsm-full-rate
Reply to: