Details: https://nvd.nist.gov/vuln/detail/CVE-2017-11359
Pick the patch that was identified by Debian[1] as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2017-11359 Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../sox/sox/CVE-2017-11359.patch | 30 +++++++++++++++++++ .../recipes-multimedia/sox/sox_14.4.2.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/sox/sox/CVE-2017-11359.patch diff --git a/meta-multimedia/recipes-multimedia/sox/sox/CVE-2017-11359.patch b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2017-11359.patch new file mode 100644 index 0000000000..fcd3e4af50 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/sox/sox/CVE-2017-11359.patch @@ -0,0 +1,30 @@ +From bcdbdbecea8fae984e895fb5f9b20fedb3602945 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard <[email protected]> +Date: Sun, 5 Nov 2017 17:02:11 +0000 +Subject: [PATCH] wav: fix crash writing header when channel count >64k + (CVE-2017-11359) + +CVE: CVE-2017-11359 +Upstream-Status: Backport [https://github.com/mansr/sox/commit/8b590b3a52f4ccc4eea3f41b4a067c38b3565b60] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + src/wav.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/wav.c b/src/wav.c +index 71fd52a..eca1cde 100644 +--- a/src/wav.c ++++ b/src/wav.c +@@ -1379,6 +1379,12 @@ static int wavwritehdr(sox_format_t * ft, int second_header) + long blocksWritten = 0; + sox_bool isExtensible = sox_false; /* WAVE_FORMAT_EXTENSIBLE? */ + ++ if (ft->signal.channels > UINT16_MAX) { ++ lsx_fail_errno(ft, SOX_EOF, "Too many channels (%u)", ++ ft->signal.channels); ++ return SOX_EOF; ++ } ++ + dwSamplesPerSecond = ft->signal.rate; + wChannels = ft->signal.channels; + wBitsPerSample = ft->encoding.bits_per_sample; diff --git a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb index 8f6808b0f0..18ce9a95d0 100644 --- a/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb +++ b/meta-multimedia/recipes-multimedia/sox/sox_14.4.2.bb @@ -32,6 +32,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/sox/sox-${PV}.tar.gz \ file://0001-Update-exported-symbol-list.patch \ file://CVE-2017-11332.patch \ file://CVE-2017-11358.patch \ + file://CVE-2017-11359.patch \ " SRC_URI[md5sum] = "d04fba2d9245e661f245de0577f48a33" SRC_URI[sha256sum] = "b45f598643ffbd8e363ff24d61166ccec4836fea6d3888881b8df53e3bb55f6c"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123880): https://lists.openembedded.org/g/openembedded-devel/message/123880 Mute This Topic: https://lists.openembedded.org/mt/117467441/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
