Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230314110138.GA1192267@subdivi.de>
Date: Tue, 14 Mar 2023 12:01:38 +0100
From: Helmut Grohne <helmut@...divi.de>
To: oss-security@...ts.openwall.com
Subject: Re: sox: patches for old vulnerabilities

On Fri, Feb 03, 2023 at 09:44:47PM +0100, Helmut Grohne wrote:
>  * CVE-2021-33844

The original fix for this issue would cause a regression. After applying
it, sox would be unable to decode WAV GSM files. This has been reported
as https://bugs.debian.org/1032082. I am attaching an updated patch that
fixes this regression. It is meant to replace the previous patch. The
updated patch includes a regression test case to avoid repeating the
mistake.

I see that most distributions (e.g. RedHat, SUSE, Gentoo, etc.) have not
picked up the faulty patch. Ubuntu inherited it from Debian and will
likely inherit the fix as it gets fixed in Debian releases.

Helmut

View attachment "CVE-2021-33844.patch" of type "text/x-diff" (1186 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.