Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <Y91yP6mYIZ+UXmgf@alf.mars>
Date: Fri, 3 Feb 2023 21:44:47 +0100
From: Helmut Grohne <helmut@...divi.de>
To: oss-security@...ts.openwall.com
Subject: sox: patches for old vulnerabilities

Hi,

I am working on fixing known vulnerabilities in sox and since upstream
seems mostly dead (no commits in more than a year, no replies to bug
reports), I am posting my results here. My work on sox is compensated by
Freexian SARL.

I located two distinct memory leaks.

The fix for CVE-2017-11358 introduced a regression. Reading any hcom
file would result in an error. This made the test suite fail, but since
nobody seems to run the test suite, this ended up being shipped in e.g.
multiple Debian releases.

On 64bit big endian systems, a 64bit integer is incorrectly truncated to
the upper 32bits. This subsequently causes an assertion failure or a
stack overflow in a -DNDEBUG build. This issue also breaks the test
suite. I do not think that this is exploitable and do not intend to
request a CVE.

I'm attaching patches for these as well as patches for the following
vulnerabilities:
 * CVE-2021-3643 and CVE-2021-23210
 * CVE-2021-23159 and CVE-2021-23172
 * CVE-2021-33844
 * CVE-2021-40426
 * CVE-2022-31650
 * CVE-2022-31651

I welcome reviews and propose adding these patches to distributions that
ship sox. I will upload these patches to Debian.

Please Cc me in replies.

Helmut

View attachment "fix-resource-leak-comments.patch" of type "text/x-diff" (314 bytes)

View attachment "fix-resource-leak-hcom.patch" of type "text/x-diff" (1445 bytes)

View attachment "fix-regression-in-CVE-2017-11358.patch" of type "text/x-diff" (1833 bytes)

View attachment "fix-hcom-big-endian.patch" of type "text/x-diff" (1023 bytes)

View attachment "CVE-2021-23159.patch" of type "text/x-diff" (737 bytes)

View attachment "CVE-2021-33844.patch" of type "text/x-diff" (1102 bytes)

View attachment "CVE-2021-3643.patch" of type "text/x-diff" (652 bytes)

View attachment "CVE-2021-40426.patch" of type "text/x-diff" (822 bytes)

View attachment "CVE-2022-31650.patch" of type "text/x-diff" (1642 bytes)

View attachment "CVE-2022-31651.patch" of type "text/x-diff" (859 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.