Bug#1125289: sox: Switch to or add sox_ng

To: Martin Guy <martinwguy@gmail.com>, 1125289@bugs.debian.org
Subject: Bug#1125289: sox: Switch to or add sox_ng
From: Sebastian Ramacher <sramacher@debian.org>
Date: Mon, 12 Jan 2026 10:35:43 +0100
Message-id: <[🔎] aWTAb_kGMTl19yet@ramacher.at>
Reply-to: Sebastian Ramacher <sramacher@debian.org>, 1125289@bugs.debian.org
In-reply-to: <[🔎] 176818674112.7329.12186832875918242732.reportbug@giacomo>
References: <[🔎] 176818674112.7329.12186832875918242732.reportbug@giacomo> <[🔎] 176818674112.7329.12186832875918242732.reportbug@giacomo>

Control: severity -1 normal
Control: merge 1108753 -1

On 2026-01-12 03:59:01 +0100, Martin Guy wrote:
> Package: sox
> Version: 14.4.2+git20190427-5+b3
> Severity: important
> X-Debbugs-Cc: martinwguy@gmail.com
> 
> sox_ng forked from sox.sf.net in May 2024. fixes all 20 or so CVEs,
> some of which could lead to code injection using crafted malformed
> compressed format files (whic is why I mark it as "important").

There is already #1108753. The upload for the switch is already in NEW.

Cheers

> 
> It also fixes other bugs, SEGVs and stuff, adds support for dozens
> more formats and has grown a few more effects.
> 
> There are several release lines, currently at 14.4.5 to 14.7.0
> for bug-fix only to more and more new features
> and they can be configured to replace the standard sox filenames
> with links to _ng or can live side by side. Most distros are deciding
> to replace, as it is backwards-compatible, and the latest stable release
> seems stable.
> 
> https://codeberg.org/sox_ng/sox_ng
> 
> I'm on good terms with all the original developers I've contacted and one
> has been murmuring for a year or so about importing the _ng fixes to sox.sf.net
> but they are presumed busy doing much more interesting things.
> 
> Blessings & keep up the good work
> 
>    M
> 
> -- System Information:
> Debian Release: 13.1
>   APT prefers stable
>   APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 6.12.43+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages sox depends on:
> ii  libc6             2.41-12
> ii  libsox-fmt-alsa   14.4.2+git20190427-5+b3
> ii  libsox-fmt-ao     14.4.2+git20190427-5+b3
> ii  libsox-fmt-base   14.4.2+git20190427-5+b3
> ii  libsox-fmt-oss    14.4.2+git20190427-5+b3
> ii  libsox-fmt-pulse  14.4.2+git20190427-5+b3
> ii  libsox3           14.4.2+git20190427-5+b3
> 
> sox recommends no packages.
> 
> Versions of packages sox suggests:
> ii  libsox-fmt-all  14.4.2+git20190427-5+b3
> 
> -- no debconf information
> 

-- 
Sebastian Ramacher

Reply to:

Follow-Ups:
- Bug#1125289: sox: Switch to or add sox_ng
  - From: Martin Guy <martinwguy@gmail.com>

References:
- Bug#1125289: sox: Switch to or add sox_ng
  - From: Martin Guy <martinwguy@gmail.com>

Prev by Date: Bug#1125289: sox: Switch to or add sox_ng
Next by Date: Processed (with 1 error): Re: Bug#1125289: sox: Switch to or add sox_ng
Previous by thread: Bug#1125289: sox: Switch to or add sox_ng
Next by thread: Bug#1125289: sox: Switch to or add sox_ng
Index(es):
- Date
- Thread