sox: patch CVE-2021-3643 and CVE-2021-23210

Use patch from Debian: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-3643.patch Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Peter Marko <peter.marko@siemens.com> 2025-03-16 23:53:51 +0100
committer: Khem Raj <raj.khem@gmail.com> 2025-03-16 16:34:59 -0700
commit: d7ba0e6cd91669dfdfde3cb784f2447295add7e5 (patch)
tree: ab0b96cf8f4704df6ebd2525de8d26f8b7b4257e /meta-multimedia
parent: afb0d8d2c6131b413dbf77530b219213b1a0efa1 (diff)
download: meta-openembedded-d7ba0e6cd91669dfdfde3cb784f2447295add7e5.tar.gz
2 files changed, 31 insertions, 0 deletions
diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch
new file mode 100644
index 0000000000..f58d2fd774
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch
@@ -0,0 +1,30 @@
+From 5b9a7c0fc7054b4f16a5058eef721470e9adcfcc Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sun, 16 Mar 2025 21:16:40 +0100
+Subject: [PATCH] voc: word width should never be 0 to avoid division by zero
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-3643.patch
+CVE: CVE-2021-3643
+CVE: CVE-2021-23210
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/voc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/voc.c b/src/voc.c
+index a75639e9..0ca07f94 100644
+--- a/src/voc.c
+++ b/src/voc.c
+@@ -625,6 +625,10 @@ static int getblock(sox_format_t * ft)
+         v->rate = new_rate_32;
+         ft->signal.rate = new_rate_32;
+         lsx_readb(ft, &uc);
+        if (uc <= 1) {
+          lsx_fail_errno(ft, SOX_EFMT, "2 bits per word required");
+          return (SOX_EOF);
+        }
+         v->size = uc;
+         lsx_readb(ft, &uc);
+         if (v->channels != -1 && uc != v->channels) {
diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
index e8294a05af..a87f4de131 100644
--- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
+++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
@@ -29,6 +29,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \
 SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \
           file://0001-remove-the-error-line-and-live-without-file-type-det.patch \
+           file://CVE-2021-3643_CVE-2021-23210.patch \
           "
 # last release was in 2015, use latest hash from 2024-05-30
author	Peter Marko <peter.marko@siemens.com>	2025-03-16 23:53:51 +0100
committer	Khem Raj <raj.khem@gmail.com>	2025-03-16 16:34:59 -0700
commit	d7ba0e6cd91669dfdfde3cb784f2447295add7e5 (patch)
tree	ab0b96cf8f4704df6ebd2525de8d26f8b7b4257e /meta-multimedia
parent	afb0d8d2c6131b413dbf77530b219213b1a0efa1 (diff)
download	meta-openembedded-d7ba0e6cd91669dfdfde3cb784f2447295add7e5.tar.gz

diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch new file mode 100644 index 0000000000..f58d2fd774 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch
@@ -0,0 +1,30 @@
		1	From 5b9a7c0fc7054b4f16a5058eef721470e9adcfcc Mon Sep 17 00:00:00 2001
		2	From: Helmut Grohne <helmut@subdivi.de>
		3	Date: Sun, 16 Mar 2025 21:16:40 +0100
		4	Subject: [PATCH] voc: word width should never be 0 to avoid division by zero
		5
		6	Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-3643.patch
		7
		8	CVE: CVE-2021-3643
		9	CVE: CVE-2021-23210
		10	Upstream-Status: Inactive-Upstream [lastrelease: 2015]
		11	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		12	---
		13	src/voc.c \| 4 ++++
		14	1 file changed, 4 insertions(+)
		15
		16	diff --git a/src/voc.c b/src/voc.c
		17	index a75639e9..0ca07f94 100644
		18	--- a/src/voc.c
		19	+++ b/src/voc.c
		20	@@ -625,6 +625,10 @@ static int getblock(sox_format_t * ft)
		21	v->rate = new_rate_32;
		22	ft->signal.rate = new_rate_32;
		23	lsx_readb(ft, &uc);
		24	+ if (uc <= 1) {
		25	+ lsx_fail_errno(ft, SOX_EFMT, "2 bits per word required");
		26	+ return (SOX_EOF);
		27	+ }
		28	v->size = uc;
		29	lsx_readb(ft, &uc);
		30	if (v->channels != -1 && uc != v->channels) {


diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index e8294a05af..a87f4de131 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
@@ -29,6 +29,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \
29		29
30	SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \	30	SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \
31	file://0001-remove-the-error-line-and-live-without-file-type-det.patch \	31	file://0001-remove-the-error-line-and-live-without-file-type-det.patch \
		32	file://CVE-2021-3643_CVE-2021-23210.patch \
32	"	33	"
33		34
34	# last release was in 2015, use latest hash from 2024-05-30	35	# last release was in 2015, use latest hash from 2024-05-30