Bug#928098: debdiff attached
--
tiago
diff -Nru sox-14.4.2/debian/changelog sox-14.4.2+git20190427/debian/changelog
--- sox-14.4.2/debian/changelog 2017-12-18 08:55:07.000000000 -0500
+++ sox-14.4.2+git20190427/debian/changelog 2019-04-27 15:57:59.000000000 -0400
@@ -1,3 +1,10 @@
+sox (14.4.2+git20190427-1) unstable; urgency=medium
+
+ * Add patches to fix CVE-2019-8354, CVE-2019-8355, CVE-2019-8356 and
+ CVE-2019-8357. Thanks to Moritz Muehlenhoff. (Closes: #927906)
+
+ -- Tiago Bortoletto Vaz <tiago@debian.org> Sat, 27 Apr 2019 15:57:59 -0400
+
sox (14.4.2-3) unstable; urgency=medium
* Patch 0005 refreshed. (Closes: #882599)
diff -Nru sox-14.4.2/debian/control sox-14.4.2+git20190427/debian/control
--- sox-14.4.2/debian/control 2017-12-18 08:32:12.000000000 -0500
+++ sox-14.4.2+git20190427/debian/control 2019-04-27 15:52:25.000000000 -0400
@@ -1,7 +1,7 @@
Source: sox
Section: sound
Priority: optional
-Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
+Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Uploaders: Jaromír Mikeš <mira.mikes@seznam.cz>
Build-Depends: debhelper (>= 10~),
ladspa-sdk,
@@ -23,8 +23,8 @@
libvorbis-dev,
libwavpack-dev
Standards-Version: 4.1.2
-Vcs-Git: https://anonscm.debian.org/git/pkg-multimedia/sox.git
-Vcs-Browser: https://anonscm.debian.org/git/pkg-multimedia/sox.git
+Vcs-Git: https://salsa.debian.org/multimedia-team/sox.git
+Vcs-Browser: https://salsa.debian.org/multimedia-team/sox
Homepage: https://sox.sourceforge.io/
Package: sox
diff -Nru sox-14.4.2/debian/libsox3.symbols sox-14.4.2+git20190427/debian/libsox3.symbols
--- sox-14.4.2/debian/libsox3.symbols 2017-11-07 04:32:40.000000000 -0500
+++ sox-14.4.2+git20190427/debian/libsox3.symbols 2019-04-27 15:57:59.000000000 -0400
@@ -26,6 +26,7 @@
lsx_readbuf@Base 14.4.2~
lsx_readchars@Base 14.4.2~
lsx_realloc@Base 14.4.2~
+ lsx_realloc_array@Base 14.4.2~
lsx_report_impl@Base 14.4.2~
lsx_rewind@Base 14.4.2~
lsx_seeki@Base 14.4.2~
diff -Nru sox-14.4.2/debian/patches/0016-CVE-2019-8354.patch sox-14.4.2+git20190427/debian/patches/0016-CVE-2019-8354.patch
--- sox-14.4.2/debian/patches/0016-CVE-2019-8354.patch 1969-12-31 19:00:00.000000000 -0500
+++ sox-14.4.2+git20190427/debian/patches/0016-CVE-2019-8354.patch 2019-04-27 15:57:59.000000000 -0400
@@ -0,0 +1,11 @@
+--- a/src/effects_i_dsp.c
++++ b/src/effects_i_dsp.c
+@@ -357,7 +357,7 @@
+ double scale, sox_bool dc_norm)
+ {
+ int i, m = num_taps - 1;
+- double * h = malloc(num_taps * sizeof(*h)), sum = 0;
++ double * h = calloc(num_taps, sizeof(*h)), sum = 0;
+ double mult = scale / lsx_bessel_I_0(beta), mult1 = 1 / (.5 * m + rho);
+ assert(Fc >= 0 && Fc <= 1);
+ lsx_debug("make_lpf(n=%i Fc=%.7g β=%g ρ=%g dc-norm=%i scale=%g)", num_taps, Fc, beta, rho, dc_norm, scale);
diff -Nru sox-14.4.2/debian/patches/0017-CVE-2019-8355.patch sox-14.4.2+git20190427/debian/patches/0017-CVE-2019-8355.patch
--- sox-14.4.2/debian/patches/0017-CVE-2019-8355.patch 1969-12-31 19:00:00.000000000 -0500
+++ sox-14.4.2+git20190427/debian/patches/0017-CVE-2019-8355.patch 2019-04-27 15:57:59.000000000 -0400
@@ -0,0 +1,46 @@
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -95,7 +95,7 @@
+
+ libsox_la_CFLAGS = @WARN_CFLAGS@
+ libsox_la_LDFLAGS = @APP_LDFLAGS@ -version-info @SHLIB_VERSION@ \
+- -export-symbols-regex '^(sox_.*|lsx_(([cm]|re)alloc|check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|error|fail_errno|filelength|find_(enum_(text|value)|file_extension)|flush|getopt(_init)?|id3_read_tag|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|rewind|seeki|sigfigs3p?|strcasecmp|strdup|tell|unreadb|write(b|_b_buf|buf|s)))$$'
++ -export-symbols-regex '^(sox_.*|lsx_(([cm]|re)alloc.*|check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|error|fail_errno|filelength|find_(enum_(text|value)|file_extension)|flush|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|rewind|seeki|sigfigs3p?|strcasecmp|strdup|tell|unreadb|write(b|_b_buf|buf|s)))$$'
+
+ if HAVE_WIN32_LTDL
+ libsox_la_SOURCES += win32-ltdl.c win32-ltdl.h
+--- a/src/xmalloc.c
++++ b/src/xmalloc.c
+@@ -41,3 +41,13 @@
+
+ return ptr;
+ }
++
++void *lsx_realloc_array(void *p, size_t n, size_t size)
++{
++ if (n > (size_t)-1 / size) {
++ lsx_fail("malloc size overflow");
++ exit(2);
++ }
++
++ return lsx_realloc(p, n * size);
++}
+--- a/src/xmalloc.h
++++ b/src/xmalloc.h
+@@ -23,12 +23,14 @@
+ #include <stddef.h>
+ #include <string.h>
+
++LSX_RETURN_VALID void *lsx_realloc_array(void *p, size_t n, size_t size);
++
+ #define lsx_malloc(size) lsx_realloc(NULL, (size))
+ #define lsx_calloc(n,s) (((n)*(s))? memset(lsx_malloc((n)*(s)),0,(n)*(s)) : NULL)
+ #define lsx_Calloc(v,n) v = lsx_calloc(n,sizeof(*(v)))
+ #define lsx_strdup(p) ((p)? strcpy((char *)lsx_malloc(strlen(p) + 1), p) : NULL)
+ #define lsx_memdup(p,s) ((p)? memcpy(lsx_malloc(s), p, s) : NULL)
+-#define lsx_valloc(v,n) v = lsx_malloc((n)*sizeof(*(v)))
+-#define lsx_revalloc(v,n) v = lsx_realloc(v, (n)*sizeof(*(v)))
++#define lsx_valloc(v,n) v = lsx_realloc_array(NULL, n, sizeof(*(v)))
++#define lsx_revalloc(v,n) v = lsx_realloc_array(v, n, sizeof(*(v)))
+
+ #endif
diff -Nru sox-14.4.2/debian/patches/0018-CVE-2019-8356.patch sox-14.4.2+git20190427/debian/patches/0018-CVE-2019-8356.patch
--- sox-14.4.2/debian/patches/0018-CVE-2019-8356.patch 1969-12-31 19:00:00.000000000 -0500
+++ sox-14.4.2+git20190427/debian/patches/0018-CVE-2019-8356.patch 2019-04-27 15:57:59.000000000 -0400
@@ -0,0 +1,73 @@
+--- a/src/fft4g.c
++++ b/src/fft4g.c
+@@ -322,6 +322,9 @@
+
+ void cdft(int n, int isgn, double *a, int *ip, double *w)
+ {
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ if (n > (ip[0] << 2)) {
+ makewt(n >> 2, ip, w);
+ }
+@@ -344,6 +347,9 @@
+ int nw, nc;
+ double xi;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 2)) {
+ nw = n >> 2;
+@@ -384,6 +390,9 @@
+ int j, nw, nc;
+ double xr;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 2)) {
+ nw = n >> 2;
+@@ -435,6 +444,9 @@
+ int j, nw, nc;
+ double xr;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 2)) {
+ nw = n >> 2;
+@@ -486,6 +498,9 @@
+ int j, k, l, m, mh, nw, nc;
+ double xr, xi, yr, yi;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 3)) {
+ nw = n >> 3;
+@@ -576,6 +591,9 @@
+ int j, k, l, m, mh, nw, nc;
+ double xr, xi, yr, yi;
+
++ if (n > FFT4G_MAX_SIZE)
++ return;
++
+ nw = ip[0];
+ if (n > (nw << 3)) {
+ nw = n >> 3;
+--- a/src/fft4g.h
++++ b/src/fft4g.h
+@@ -13,6 +13,8 @@
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
++#define FFT4G_MAX_SIZE 262144
++
+ void lsx_cdft(int, int, double *, int *, double *);
+ void lsx_rdft(int, int, double *, int *, double *);
+ void lsx_ddct(int, int, double *, int *, double *);
diff -Nru sox-14.4.2/debian/patches/0019-CVE-2019-8357.patch sox-14.4.2+git20190427/debian/patches/0019-CVE-2019-8357.patch
--- sox-14.4.2/debian/patches/0019-CVE-2019-8357.patch 1969-12-31 19:00:00.000000000 -0500
+++ sox-14.4.2+git20190427/debian/patches/0019-CVE-2019-8357.patch 2019-04-27 15:57:59.000000000 -0400
@@ -0,0 +1,12 @@
+--- a/src/effects_i_dsp.c
++++ b/src/effects_i_dsp.c
+@@ -362,6 +362,9 @@
+ assert(Fc >= 0 && Fc <= 1);
+ lsx_debug("make_lpf(n=%i Fc=%.7g β=%g ρ=%g dc-norm=%i scale=%g)", num_taps, Fc, beta, rho, dc_norm, scale);
+
++ if (!h)
++ return NULL;
++
+ for (i = 0; i <= m / 2; ++i) {
+ double z = i - .5 * m, x = z * M_PI, y = z * mult1;
+ h[i] = x? sin(Fc * x) / x : Fc;
diff -Nru sox-14.4.2/debian/patches/series sox-14.4.2+git20190427/debian/patches/series
--- sox-14.4.2/debian/patches/series 2017-11-24 10:35:49.000000000 -0500
+++ sox-14.4.2+git20190427/debian/patches/series 2019-04-27 15:57:59.000000000 -0400
@@ -11,3 +11,7 @@
0013-CVE-2017-15372.patch
0014-CVE-2017-15642.patch
0015-Handle-vorbis_analysis_headerout-errors.patch
+0016-CVE-2019-8354.patch
+0017-CVE-2019-8355.patch
+0018-CVE-2019-8356.patch
+0019-CVE-2019-8357.patch
Reply to: