On Mon, 12 Jan 2026 at 08:55, Thorsten Alteholz <[email protected]> wrote: > On 12.01.26 03:59, Martin Guy wrote: > > fixes all 20 or so CVEs, > > some of which could lead to code injection using crafted malformed > > compressed format files (whic is why I mark it as "important"). > > Can you please be a bit more verbose about what you mean with this? > According to [1] there are no open CVEs in the Debian package. > [1] https://security-tracker.debian.org/tracker/source-package/sox
Sure. That seems based on a git snapshort from sox.sf.net which claims to fix some CVEs but doesn't really, and the test suite for the CVEs run against Debian SoX says (here "BUG-*" are for bugs reported on sox.sf.net, "LOOP" means it ran into an infinite loop, SUCC means it reported success when it should have failed, "VOID" that the test couldn't be run because plain sox doesn't have the effect or format in question and SEGV and ABRT mean it dies of those. BUG-293: FAIL BUG-297: OK BUG-298: OK BUG-305: LOOP BUG-320: OK BUG-327: VOID BUG-331: OK BUG-333: OK BUG-334: SEGV BUG-345: FAIL BUG-350: OK BUG-351: OK BUG-358: SEGV BUG-360-aiffstartwrite: OK BUG-360-rate: OK BUG-363: OK BUG-367: OK BUG-368: OK BUG-369: OK BUG-370: OK CVE-2004-0557: OK CVE-2017-11332: OK CVE-2017-11333: OK CVE-2017-11358: OK CVE-2017-11359: OK CVE-2017-15370: SUCC CVE-2017-15371: OK CVE-2017-15372: SUCC CVE-2017-15642: OK CVE-2017-18189: OK CVE-2019-1010004: OK CVE-2019-13590: OK CVE-2019-8354: ABRT CVE-2019-8355: OK CVE-2019-8356: SUCC CVE-2021-23159: OK CVE-2021-23172: OK CVE-2021-23210: OK CVE-2021-33844: OK CVE-2021-3643: OK CVE-2021-40426: OK CVE-2022-31650: OK CVE-2022-31651: OK CVE-2023-26590: OK CVE-2023-32627: OK CVE-2023-34318: OK CVE-2023-34432: OK The buffer overflow that could conceivably allow code injection that Debian fails is CVE-2014-8145. - see https://codeberg.org/sox_ng/sox_ng/wiki/CVE
