[oe] [meta-multimedia][scarthgap][PATCH 01/11] sox: patch CVE-2017-11332

Gyorgy Sarvari via lists.openembedded.org Mon, 26 Jan 2026 05:05:15 -0800

Details: https://nvd.nist.gov/vuln/detail/CVE-2017-11332


Pick the patch that was identified by Debian[1] as the solution.

[1]: https://security-tracker.debian.org/tracker/CVE-2017-11332

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 .../sox/sox/CVE-2017-11332.patch              | 28 +++++++++++++++++++
 .../recipes-multimedia/sox/sox_14.4.2.bb      |  1 +
 2 files changed, 29 insertions(+)
 create mode 100644 
meta-multimedia/recipes-multimedia/sox/sox/CVE-2017-11332.patch

diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2017-11332.patch 
b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2017-11332.patch
new file mode 100644
index 0000000000..383813e469
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2017-11332.patch
@@ -0,0 +1,28 @@
+From 80479b4978ddeb6fadb75007abc81f1ca2c50abb Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <[email protected]>
+Date: Sun, 5 Nov 2017 16:29:28 +0000
+Subject: [PATCH] wav: fix crash if channel count is zero (CVE-2017-11332)
+
+CVE: CVE-2017-11332
+Upstream-Status: Backport 
[https://github.com/mansr/sox/commit/7405bcaacb1ded8c595cb751d407cf738cb26571]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ src/wav.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/wav.c b/src/wav.c
+index 5202556..71fd52a 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -712,6 +712,11 @@ static int startread(sox_format_t * ft)
+     else
+         lsx_report("User options overriding channels read in .wav header");
+ 
++    if (ft->signal.channels == 0) {
++        lsx_fail_errno(ft, SOX_EHDR, "Channel count is zero");
++        return SOX_EOF;
++    }
++
+     if (ft->signal.rate == 0 || ft->signal.rate == dwSamplesPerSecond)
+         ft->signal.rate = dwSamplesPerSecond;
+     else
diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb 
b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
index a79fb15d39..38566735bc 100644
--- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
+++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb
@@ -30,6 +30,7 @@ LIC_FILES_CHKSUM = 
"file://LICENSE.GPL;md5=751419260aa954499f7abaabaa882bbe \
 SRC_URI = "${SOURCEFORGE_MIRROR}/sox/sox-${PV}.tar.gz \
            
file://0001-remove-the-error-line-and-live-without-file-type-det.patch \
            file://0001-Update-exported-symbol-list.patch \
+           file://CVE-2017-11332.patch \
            "
 SRC_URI[md5sum] = "d04fba2d9245e661f245de0577f48a33"
 SRC_URI[sha256sum] = 
"b45f598643ffbd8e363ff24d61166ccec4836fea6d3888881b8df53e3bb55f6c"

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#123878): 
https://lists.openembedded.org/g/openembedded-devel/message/123878
Mute This Topic: https://lists.openembedded.org/mt/117467439/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

[oe] [meta-multimedia][scarthgap][PATCH 01/11] sox: patch CVE-2017-11332

Reply via email to