11 files changed, 300 insertions, 84 deletions

diff --git a/meta-multimedia/recipes-multimedia/sox/sox/0001-Update-exported-symbol-list.patch b/meta-multimedia/recipes-multimedia/sox/sox/0001-Update-exported-symbol-list.patch
deleted file mode 100644
index 44c6b19be0..0000000000
--- a/meta-multimedia/recipes-multimedia/sox/sox/0001-Update-exported-symbol-list.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From b1809d82031aa7c5bcaad58bcb4b59e082e0446e Mon Sep 17 00:00:00 2001
-From: Mans Rullgard <mans@mansr.com>
-Date: Sun, 5 Nov 2017 15:40:16 +0000
-Subject: [PATCH] Update exported symbol list
-
-commit 5c58413544 ("Don't export (most) internal libsox symbols")
-breaks dynamic flac builds as flac.c references lsx.error, so add it
-to the list of exceptions.
-
-| .libs/flac.o: In function `decoder_read_callback':
-| /usr/src/debug/sox/14.4.2-r0/sox-14.4.2/src/flac.c:63: undefined reference to `lsx_error'
-
-Upstream-Status: Backport [https://bogomips.org/sox.git ("pu" branch)]
-
----
- src/Makefile.am | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/Makefile.am b/src/Makefile.am
-index 7cceaafd..a3a04ed1 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -95,7 +95,7 @@ libsox_la_LIBADD += @GOMP_LIBS@
- 
- libsox_la_CFLAGS = @WARN_CFLAGS@
- libsox_la_LDFLAGS = @APP_LDFLAGS@ -version-info @SHLIB_VERSION@ \
--  -export-symbols-regex '^(sox_.*|lsx_(check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|fail_errno|filelength|find_(enum_(text|value)|file_extension)|getopt(_init)?|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|realloc|rewind|seeki|sigfigs3p?|strcasecmp|tell|unreadb|write(b|_b_buf|buf|s)))$$'
-+  -export-symbols-regex '^(sox_.*|lsx_(([cm]|re)alloc|check_read_params|(close|open)_dllibrary|(debug(_more|_most)?|fail|report|warn)_impl|eof|error|fail_errno|filelength|find_(enum_(text|value)|file_extension)|flush|getopt(_init)?|id3_read_tag|lpc10_(create_(de|en)coder_state|(de|en)code)|raw(read|write)|read(_b_buf|buf|chars)|rewind|seeki|sigfigs3p?|strcasecmp|strdup|tell|unreadb|write(b|_b_buf|buf|s)))$$'
- 
- if HAVE_WIN32_LTDL
-   libsox_la_SOURCES += win32-ltdl.c win32-ltdl.h
--- 
-2.16.2
-
diff --git a/meta-multimedia/recipes-multimedia/sox/sox/0001-remove-the-error-line-and-live-without-file-type-det.patch b/meta-multimedia/recipes-multimedia/sox/sox/0001-remove-the-error-line-and-live-without-file-type-det.patch
index 3085bd495c..15c429e515 100644
--- a/meta-multimedia/recipes-multimedia/sox/sox/0001-remove-the-error-line-and-live-without-file-type-det.patch
+++ b/meta-multimedia/recipes-multimedia/sox/sox/0001-remove-the-error-line-and-live-without-file-type-det.patch
@@ -15,7 +15,7 @@ diff --git a/src/formats.c b/src/formats.c
 index 724a4cda..f683a922 100644
 --- a/src/formats.c
 +++ b/src/formats.c
-@@ -422,7 +422,6 @@ static void UNUSED rewind_pipe(FILE * fp)
+@@ -477,7 +477,6 @@ static void UNUSED rewind_pipe(FILE * fp)
    /* To fix this #error, either simply remove the #error line and live without
     * file-type detection with pipes, or add support for your compiler in the
     * lines above.  Test with cat monkey.wav | ./sox --info - */
diff --git a/meta-multimedia/recipes-multimedia/sox/sox/0001-tests-Include-math.h-for-fabs-definition.patch b/meta-multimedia/recipes-multimedia/sox/sox/0001-tests-Include-math.h-for-fabs-definition.patch
deleted file mode 100644
index 5f9135a0ee..0000000000
--- a/meta-multimedia/recipes-multimedia/sox/sox/0001-tests-Include-math.h-for-fabs-definition.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From afe336ab63ff9b64ef759255de6b03b897dc4453 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Sun, 19 May 2024 09:09:46 -0700
-Subject: [PATCH] tests: Include math.h for fabs() definition
-
-Fixes build with gcc-14
-
-../../sox-14.4.2/src/sox_sample_test.h:190:3: error: implicit declaration of function 'fabs' [-Wimplicit-function-declaration]
-  190 |   assert(fabs(d - 1) < 1e-9 && clips == 0);
-      |   ^~~~~~
-      ../../sox-14.4.2/src/sox_sample_test.h:23:1: note: include '<math.h>' or provide a declaration of 'fabs'
-
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- src/sox_sample_test.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/sox_sample_test.h b/src/sox_sample_test.h
-index 62b55e4..17f0069 100644
---- a/src/sox_sample_test.h
-+++ b/src/sox_sample_test.h
-@@ -19,6 +19,7 @@
- #undef NDEBUG /* Must undef above assert.h or other that might include it. */
- #endif
- #include <assert.h>
-+#include <math.h>
- #include "sox.h"
- 
- #define TEST_UINT(bits) \
--- 
-2.45.1
-
diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch
new file mode 100644
index 0000000000..df27cbcd65
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-23159_CVE-2021-2317.patch
@@ -0,0 +1,32 @@
+From 8eb3afb37f80d7231a998e3074e6fc5f7bdfe4d5 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sun, 16 Mar 2025 20:28:15 +0100
+Subject: [PATCH] hcom: validate dictsize
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-23159.patch
+
+CVE: CVE-2021-23159
+CVE: CVE-2021-23172
+CVE: CVE-2023-34432
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/hcom.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/hcom.c b/src/hcom.c
+index 594c8706..9e8b03c6 100644
+--- a/src/hcom.c
++++ b/src/hcom.c
+@@ -141,6 +141,11 @@ static int startread(sox_format_t * ft)
+                 return (SOX_EOF);
+         }
+         lsx_readw(ft, &dictsize);
++        if (dictsize == 0 || dictsize > 511)
++        {
++                lsx_fail_errno(ft, SOX_EHDR, "Implausible dictionary size in HCOM header");
++                return SOX_EOF;
++        }
+ 
+         /* Translate to sox parameters */
+         ft->encoding.encoding = SOX_ENCODING_HCOM;
diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-33844.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-33844.patch
new file mode 100644
index 0000000000..02c3edb35d
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-33844.patch
@@ -0,0 +1,40 @@
+From f2597e433afeee8ab00cf6368ec8519df34aa031 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sun, 16 Mar 2025 23:19:43 +0100
+Subject: [PATCH] wav: reject 0 bits per sample to avoid division by zero
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-33844.patch
+
+CVE: CVE-2021-33844
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/testall.sh | 1 +
+ src/wav.c      | 5 +++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/src/testall.sh b/src/testall.sh
+index e7398377..e1454c21 100755
+--- a/src/testall.sh
++++ b/src/testall.sh
+@@ -67,3 +67,4 @@ t voc
+ t vox -r 8130
+ t wav
+ t wve
++t wav -e gsm-full-rate
+diff --git a/src/wav.c b/src/wav.c
+index 3f6beb45..16f0bff8 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -963,6 +963,11 @@ static int startread(sox_format_t *ft)
+ #endif
+     }
+ 
++    if (ft->encoding.bits_per_sample == 0)
++    {
++        lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample is zero");
++        return SOX_EOF;
++    }
+     if (!wav->numSamples)
+         wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample)
+             / ft->signal.channels;
diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch
new file mode 100644
index 0000000000..f58d2fd774
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-3643_CVE-2021-23210.patch
@@ -0,0 +1,30 @@
+From 5b9a7c0fc7054b4f16a5058eef721470e9adcfcc Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sun, 16 Mar 2025 21:16:40 +0100
+Subject: [PATCH] voc: word width should never be 0 to avoid division by zero
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-3643.patch
+
+CVE: CVE-2021-3643
+CVE: CVE-2021-23210
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/voc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/voc.c b/src/voc.c
+index a75639e9..0ca07f94 100644
+--- a/src/voc.c
++++ b/src/voc.c
+@@ -625,6 +625,10 @@ static int getblock(sox_format_t * ft)
+         v->rate = new_rate_32;
+         ft->signal.rate = new_rate_32;
+         lsx_readb(ft, &uc);
++        if (uc <= 1) {
++          lsx_fail_errno(ft, SOX_EFMT, "2 bits per word required");
++          return (SOX_EOF);
++        }
+         v->size = uc;
+         lsx_readb(ft, &uc);
+         if (v->channels != -1 && uc != v->channels) {
diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-40426.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-40426.patch
new file mode 100644
index 0000000000..9e505a03a7
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2021-40426.patch
@@ -0,0 +1,38 @@
+From 25f686e0da423326a74fe16c603b6b6b75857fa4 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sun, 16 Mar 2025 20:07:19 +0100
+Subject: [PATCH] sphere: avoid integer underflow
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2021-40426.patch
+
+CVE: CVE-2021-40426
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/sphere.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/sphere.c b/src/sphere.c
+index a3fd1c64..9544d160 100644
+--- a/src/sphere.c
++++ b/src/sphere.c
+@@ -63,7 +63,8 @@ static int start_read(sox_format_t * ft)
+     return (SOX_EOF);
+   }
+ 
+-  header_size -= (strlen(buf) + 1);
++  bytes_read = strlen(buf);
++  header_size -= bytes_read >= header_size ? header_size : bytes_read + 1;
+ 
+   while (strncmp(buf, "end_head", (size_t)8) != 0) {
+     if (strncmp(buf, "sample_n_bytes", (size_t)14) == 0)
+@@ -105,7 +106,8 @@ static int start_read(sox_format_t * ft)
+       return (SOX_EOF);
+     }
+ 
+-    header_size -= (strlen(buf) + 1);
++    bytes_read = strlen(buf);
++    header_size -= bytes_read >= header_size ? header_size : bytes_read + 1;
+   }
+ 
+   if (!bytes_per_sample)
diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31650.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31650.patch
new file mode 100644
index 0000000000..41baad0e27
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31650.patch
@@ -0,0 +1,60 @@
+From 3a8e783c58499bb52052c671b9161c43e011a508 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sun, 16 Mar 2025 20:08:04 +0100
+Subject: [PATCH] formats+aiff: reject implausibly large number of channels
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31650.patch
+
+CVE: CVE-2022-31650
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/aiff.c      |  5 +++++
+ src/formats_i.c | 10 ++++++++--
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/aiff.c b/src/aiff.c
+index 3a152c58..6de94f32 100644
+--- a/src/aiff.c
++++ b/src/aiff.c
+@@ -619,6 +619,11 @@ int lsx_aiffstartwrite(sox_format_t * ft)
+            At 48 kHz, 16 bits stereo, this gives ~3 hours of audio.
+            Sorry, the AIFF format does not provide for an indefinite
+            number of samples. */
++        if (ft->signal.channels >= (0x7f000000 / (ft->encoding.bits_per_sample >> 3)))
++        {
++                lsx_fail_errno(ft, SOX_EOF, "too many channels for AIFF header");
++                return SOX_EOF;
++        }
+         return(aiffwriteheader(ft, (uint64_t) 0x7f000000 / ((ft->encoding.bits_per_sample>>3)*ft->signal.channels)));
+ }
+ 
+diff --git a/src/formats_i.c b/src/formats_i.c
+index 7048040d..6a7c27e3 100644
+--- a/src/formats_i.c
++++ b/src/formats_i.c
+@@ -19,6 +19,7 @@
+  */
+ 
+ #include "sox_i.h"
++#include <limits.h>
+ #include <string.h>
+ #include <sys/stat.h>
+ #include <stdarg.h>
+@@ -60,9 +61,14 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels,
+   if (ft->seekable)
+     ft->data_start = lsx_tell(ft);
+ 
+-  if (channels && ft->signal.channels && ft->signal.channels != channels)
++  if (channels && ft->signal.channels && ft->signal.channels != channels) {
+     lsx_warn("`%s': overriding number of channels", ft->filename);
+-  else ft->signal.channels = channels;
++  } else if (channels > SHRT_MAX) {
++    lsx_fail_errno(ft, EINVAL, "implausibly large number of channels");
++    return SOX_EOF;
++  } else {
++    ft->signal.channels = channels;
++  }
+ 
+   if (rate && ft->signal.rate && ft->signal.rate != rate)
+     lsx_warn("`%s': overriding sample rate", ft->filename);
diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31651.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31651.patch
new file mode 100644
index 0000000000..853a69d210
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2022-31651.patch
@@ -0,0 +1,36 @@
+From db9641ce748bdfb465fdfa9b7794de2f8da0a249 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sun, 16 Mar 2025 20:08:13 +0100
+Subject: [PATCH] formats: reject implausible rate
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/CVE-2022-31651.patch
+
+CVE: CVE-2022-31651
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/formats_i.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/formats_i.c b/src/formats_i.c
+index 6a7c27e3..5f5ef979 100644
+--- a/src/formats_i.c
++++ b/src/formats_i.c
+@@ -70,9 +70,15 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels,
+     ft->signal.channels = channels;
+   }
+ 
+-  if (rate && ft->signal.rate && ft->signal.rate != rate)
++  if (rate && ft->signal.rate && ft->signal.rate != rate) {
+     lsx_warn("`%s': overriding sample rate", ft->filename);
+-  else ft->signal.rate = rate;
++  /* Since NaN comparisons yield false, the negation rejects them. */
++  } else if (!(rate > 0)) {
++    lsx_fail_errno(ft, EINVAL, "invalid rate value");
++    return SOX_EOF;
++  } else {
++    ft->signal.rate = rate;
++  }
+ 
+   if (encoding && ft->encoding.encoding && ft->encoding.encoding != encoding)
+     lsx_warn("`%s': overriding encoding type", ft->filename);
diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2023-32627.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2023-32627.patch
new file mode 100644
index 0000000000..b4e9994eab
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2023-32627.patch
@@ -0,0 +1,30 @@
+From b0b7e7fa7a48485c4d6b0ae64bfddedd519716f5 Mon Sep 17 00:00:00 2001
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Sun, 16 Mar 2025 23:25:15 +0100
+Subject: [PATCH] CVE-2023-32627 Filter null sampling rate in VOC coder
+
+Source: https://salsa.debian.org/lts-team/packages/sox/-/blob/debian/14.4.2+git20190427-1+deb10u3/debian/patches/0028-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch
+
+CVE: CVE-2023-32627
+Upstream-Status: Inactive-Upstream [lastrelease: 2015]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/voc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/voc.c b/src/voc.c
+index 0ca07f94..d8b982c5 100644
+--- a/src/voc.c
++++ b/src/voc.c
+@@ -353,6 +353,11 @@ static size_t read_samples(sox_format_t * ft, sox_sample_t * buf,
+             v->block_remaining = 0;
+             return done;
+           }
++          if(uc == 0) {
++            lsx_fail_errno(ft, EINVAL, "invalid rate value");
++            v->block_remaining = 0;
++            return done;
++          }
+           *buf = SOX_UNSIGNED_8BIT_TO_SAMPLE(uc,);
+           lsx_adpcm_init(&v->adpcm, 6 - v->size, SOX_SAMPLE_TO_SIGNED_16BIT(*buf, ft->clips));
+           ++buf;
diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
index 800fcad2c9..90a7a85df8 100644
--- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
+++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
@@ -1,39 +1,56 @@
-DESCRIPTION="SoX is the Swiss Army knife of sound processing tools. \
+DESCRIPTION = "SoX is the Swiss Army knife of sound processing tools. \
 It converts audio files among various standard audio file formats \
 and can apply different effects and filters to the audio data."
 HOMEPAGE = "http://sox.sourceforge.net"
 SECTION = "audio"
 
-DEPENDS = "libpng libsndfile1 libtool"
+DEPENDS = "autoconf-archive-native libpng libsndfile1 libtool"
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'alsa pulseaudio', d)} \
                    magic \
 "
-PACKAGECONFIG[pulseaudio] = "--with-pulseaudio=dyn,--with-pulseaudio=no,pulseaudio,"
-PACKAGECONFIG[alsa] = "--with-alsa=dyn,--with-alsa=no,alsa-lib,"
-PACKAGECONFIG[wavpack] = "--with-wavpack=dyn,--with-wavpack=no,wavpack,"
-PACKAGECONFIG[flac] = "--with-flac=dyn,--with-flac=no,flac,"
-PACKAGECONFIG[amrwb] = "--with-amrwb=dyn,--with-amrwb=no,opencore-amr,"
-PACKAGECONFIG[amrnb] = "--with-amrnb=dyn,--with-amrnb=no,opencore-amr,"
-PACKAGECONFIG[oggvorbis] = "--with-oggvorbis=dyn,--with-oggvorbis=no,libvorbis"
-PACKAGECONFIG[opus] = "--with-opus=dyn,--with-opus=no,opusfile"
+PACKAGECONFIG[pulseaudio] = "--enable-pulseaudio=dyn,--disable-pulseaudio,pulseaudio,"
+PACKAGECONFIG[alsa] = "--enable-alsa=dyn,--disable-alsa,alsa-lib,"
+PACKAGECONFIG[wavpack] = "--enable-wavpack=dyn,--disable-wavpack,wavpack,"
+PACKAGECONFIG[flac] = "--enable-flac=dyn,--disable-flac,flac,"
+PACKAGECONFIG[amrwb] = "--enable-amrwb=dyn,--disable-amrwb,opencore-amr,"
+PACKAGECONFIG[amrnb] = "--enable-amrnb=dyn,--disable-amrnb,opencore-amr,"
+PACKAGECONFIG[oggvorbis] = "--enable-oggvorbis=dyn,--disable-oggvorbis,libvorbis"
+PACKAGECONFIG[opus] = "--enable-opus=dyn,--disable-opus,opusfile"
 PACKAGECONFIG[magic] = "--with-magic,--without-magic,file,"
 PACKAGECONFIG[mad] = "--with-mad,--without-mad,libmad,"
 PACKAGECONFIG[id3tag] = "--with-id3tag,--without-id3tag,libid3tag,"
 PACKAGECONFIG[lame] = "--with-lame,--without-lame,lame,"
-PACKAGECONFIG[ao] = "--with-ao,--without-ao,libao,"
+PACKAGECONFIG[ao] = "--enable-ao,--disable-ao,libao,"
 
 LICENSE = "GPL-2.0-only & LGPL-2.1-only"
 LIC_FILES_CHKSUM = "file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \
                     file://LICENSE.LGPL;md5=fbc093901857fcd118f065f900982c24"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/sox/sox-${PV}.tar.gz \
+SRC_URI = "git://git.code.sf.net/p/sox/code;protocol=https;branch=master \
            file://0001-remove-the-error-line-and-live-without-file-type-det.patch \
-           file://0001-Update-exported-symbol-list.patch \
-           file://0001-tests-Include-math.h-for-fabs-definition.patch \
+           file://CVE-2021-3643_CVE-2021-23210.patch \
+           file://CVE-2021-23159_CVE-2021-2317.patch \
+           file://CVE-2021-33844.patch \
+           file://CVE-2021-40426.patch \
+           file://CVE-2022-31650.patch \
+           file://CVE-2022-31651.patch \
+           file://CVE-2023-32627.patch \
            "
-SRC_URI[md5sum] = "d04fba2d9245e661f245de0577f48a33"
-SRC_URI[sha256sum] = "b45f598643ffbd8e363ff24d61166ccec4836fea6d3888881b8df53e3bb55f6c"
+
+# last release was in 2015, use latest hash from 2024-05-30
+PV .= "+git"
+SRCREV = "f3094754a7c2a7e55c35621d20fa9945736e72df"
+
+CVE_PRODUCT:append = " libsox_project:libsox sound_exchange_project:sound_exchange"
+
+CVE_STATUS_GROUPS += "CVE_STATUS_HASH_UPDATE"
+CVE_STATUS_HASH_UPDATE = " \
+    CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15370 CVE-2017-15371 \
+    CVE-2017-15372 CVE-2017-15642 CVE-2017-18189 CVE-2019-13590 CVE-2019-8354 \
+    CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 CVE-2019-1010004 \
+"
+CVE_STATUS_HASH_UPDATE[status] = "fixed-version: patched in current git hash"
 
 inherit autotools pkgconfig