Thanks for the problem report. This was introduced by sox.sf.net commit 61428b3 "Clean up lsx_malloc() and friends" which Debian imported as a "fix" to CVE-2019-8355.
It's caused by lsx_strdup() being called with a NULL pointer from src/sox.c line 2370 ``` norm_level = lsx_strdup(optstate.arg); ``` so one fix is to change this to ``` if (optstate.arg) norm_level = lsx_strdup(optstate.arg); ``` so that `norm_level` remains NULL, as it was initialized. Presumably, before the cleanup, lsx_strdup() checked for and returned NULL. Here's the patch that reverts the change to lsx_strdup(); the other one will follow in a separate comment as this web form only allows one attachment. Further details will appear in https://codeberg.org/sox_ng/sox_ng/issues when codeberg recovers from its current outage. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-8355 ** Patch added: "0002-Partially-revert-61428b3-so-lsx_strdup-checks-for-a-.patch" https://bugs.launchpad.net/ubuntu/+source/sox/+bug/1839239/+attachment/5828053/+files/0002-Partially-revert-61428b3-so-lsx_strdup-checks-for-a-.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1839239 Title: Sox segfault when using --norm without [=dB-level] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sox/+bug/1839239/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
