[Git][security-tracker-team/security-tracker][master] issue DLA-3315-1 for sox

Helmut Grohne (@helmutg) helmutg at debian.org
Fri Feb 10 06:09:39 GMT 2023 


Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker


Commits:
729130df by Helmut Grohne at 2023-02-10T07:08:51+01:00
issue DLA-3315-1 for sox

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -59461,15 +59461,11 @@ CVE-2022-31652
 CVE-2022-31651 (In SoX 14.4.2, there is an assertion failure in rate_init in rate.c in ...)
 	- sox 14.4.2+git20190427-3.1 (bug #1012516)
 	[bullseye] - sox <no-dsa> (Minor issue)
-	[buster] - sox <no-dsa> (Minor issue)
-	[stretch] - sox <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/sox/bugs/360/
 	NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3
 CVE-2022-31650 (In SoX 14.4.2, there is a floating-point exception in lsx_aiffstartwri ...)
 	- sox 14.4.2+git20190427-3.1 (bug #1012516)
 	[bullseye] - sox <no-dsa> (Minor issue)
-	[buster] - sox <no-dsa> (Minor issue)
-	[stretch] - sox <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/sox/bugs/360/
 	NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3
 CVE-2022-31649 (ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Inf ...)
@@ -118766,8 +118762,6 @@ CVE-2021-36716 (A ReDoS (regular expression denial of service) flaw was found in
 CVE-2021-3643 (A flaw was found in sox 14.4.1. The lsx_adpcm_init function within lib ...)
 	- sox 14.4.2+git20190427-3.2 (bug #1010374)
 	[bullseye] - sox <no-dsa> (Minor issue)
-	[buster] - sox <no-dsa> (Minor issue)
-	[stretch] - sox <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1980626
 	NOTE: Triggered by same reproducer as for CVE-2021-23210
 	NOTE: https://sourceforge.net/p/sox/bugs/351/
@@ -125578,8 +125572,6 @@ CVE-2021-33841 (SGE-PLC1000 device, in its 0.9.2b firmware version, does not han
 CVE-2021-23210 (A floating point exception (divide-by-zero) issue was discovered in So ...)
 	- sox 14.4.2+git20190427-3.2 (bug #1010374)
 	[bullseye] - sox <no-dsa> (Minor issue)
-	[buster] - sox <no-dsa> (Minor issue)
-	[stretch] - sox <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975670
 	NOTE: https://sourceforge.net/p/sox/bugs/351/
 	NOTE: https://www.openwall.com/lists/oss-security/2023/02/03/3
@@ -261790,9 +261782,6 @@ CVE-2019-13591
 	RESERVED
 CVE-2019-13590 (An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h (start ...)
 	- sox 14.4.2+git20190427-2 (low; bug #932082)
-	[buster] - sox <ignored> (Minor issue)
-	[stretch] - sox <ignored> (Minor issue)
-	[jessie] - sox <ignored> (Minor issue)
 	NOTE: https://sourceforge.net/p/sox/bugs/325/
 	NOTE: https://sourceforge.net/p/sox/code/ci/7b6a889217d62ed7e28188621403cc7542fd1f7e/
 CVE-2019-13589 (The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, incl ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[10 Feb 2023] DLA-3315-1 sox - security update
+	{CVE-2019-13590 CVE-2021-3643 CVE-2021-23159 CVE-2021-23172 CVE-2021-23210 CVE-2021-33844 CVE-2021-40426 CVE-2022-31650 CVE-2022-31651}
+	[buster] - sox 14.4.2+git20190427-1+deb10u1
 [09 Feb 2023] DLA-3314-1 libsdl2 - security update
 	{CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7638 CVE-2019-13616 CVE-2019-13626 CVE-2020-14409 CVE-2020-14410 CVE-2021-33657 CVE-2022-4743}
 	[buster] - libsdl2 2.0.9+dfsg1-1+deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -310,13 +310,6 @@ snort
   NOTE: 20230121: Prepared new upstream version for unstable which we could
   NOTE: 20230121: backport to buster later. See https://bugs.debian.org/1021276
 --
-sox (Helmut Grohne)
-  NOTE: 20220818: Programming language: C.
-  NOTE: 20220818: Requires some investigation; see #1012138 etc.
-  NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith)
-  NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/sox.git
-  NOTE: 20230127: There is no point in dealing with sox. No upstream commit in 1.5 years. No answer to Enrico's upstream ticket. RedHat issued notabug. Unfixed in stable and unstable. Don't run sox on untrusted input. (Helmut)
---
 spip
   NOTE: 20230206: Programming language: PHP.
   NOTE: 20230206: Special attention: Please contact maintainer regarding VCS usage



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/729130df3de8c74d3d65f0a8f2c1666dcc175cb2

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/729130df3de8c74d3d65f0a8f2c1666dcc175cb2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230210/23b35d8a/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list