Bug#1125289: sox: Switch to or add sox_ng

[Martin Guy <martinwguy@gmail.com>]

On Mon, 12 Jan 2026 at 08:55, Thorsten Alteholz <debian@alteholz.de> wrote:
> On 12.01.26 03:59, Martin Guy wrote:
> >   fixes all 20 or so CVEs,
> > some of which could lead to code injection using crafted malformed
> > compressed format files (whic is why I mark it as "important").
>
> Can you please be a bit more verbose about what you mean with this?
> According to [1] there are no open CVEs in the Debian package.
> [1] https://security-tracker.debian.org/tracker/source-package/sox

Sure. That seems based on a git snapshort from sox.sf.net which claims
to fix some CVEs but doesn't really, and the test suite for the CVEs run
against Debian SoX says (here "BUG-*" are for bugs reported on sox.sf.net,
"LOOP" means it ran into an infinite loop, SUCC means it reported success
when it should have failed, "VOID" that the test couldn't be run because plain
sox doesn't have the effect or format in question and SEGV and ABRT mean
it dies of those.

BUG-293: FAIL
BUG-297: OK
BUG-298: OK
BUG-305: LOOP
BUG-320: OK
BUG-327: VOID
BUG-331: OK
BUG-333: OK
BUG-334: SEGV
BUG-345: FAIL
BUG-350: OK
BUG-351: OK
BUG-358: SEGV
BUG-360-aiffstartwrite: OK
BUG-360-rate: OK
BUG-363: OK
BUG-367: OK
BUG-368: OK
BUG-369: OK
BUG-370: OK
CVE-2004-0557: OK
CVE-2017-11332: OK
CVE-2017-11333: OK
CVE-2017-11358: OK
CVE-2017-11359: OK
CVE-2017-15370: SUCC
CVE-2017-15371: OK
CVE-2017-15372: SUCC
CVE-2017-15642: OK
CVE-2017-18189: OK
CVE-2019-1010004: OK
CVE-2019-13590: OK
CVE-2019-8354: ABRT
CVE-2019-8355: OK
CVE-2019-8356: SUCC
CVE-2021-23159: OK
CVE-2021-23172: OK
CVE-2021-23210: OK
CVE-2021-33844: OK
CVE-2021-3643: OK
CVE-2021-40426: OK
CVE-2022-31650: OK
CVE-2022-31651: OK
CVE-2023-26590: OK
CVE-2023-32627: OK
CVE-2023-34318: OK
CVE-2023-34432: OK

The buffer overflow that could conceivably allow code injection that
Debian fails
is CVE-2014-8145. - see https://codeberg.org/sox_ng/sox_ng/wiki/CVE