From the Google Security Team: I would like to report publicly new memory corruption vulnerabilities in the latest SoX, 14.4.2 - these have been reported in April 2015 through oCERT, but they have notified me they still haven't received a response from upstream. Please see this shared folder, visible to anybody with the link: https://drive.google.com/folderview?id=0B52EFul-UCEIflZhcjlrRGlqcWdER2xJZWR4dmVUQ1RaRGl6a09sbVdGYjg2MER6OHl3aUU&usp=sharing The write heap buffer overflows are related to ADPCM handling in WAV files, while the read heap buffer overflow is while opening a .VOC. For each crash, you have the input file and a .txt with the ASAN output. Thanks, Michele Spagnuolo Google Security Team Reference: http://seclists.org/oss-sec/2015/q3/167
Created attachment 159101 [details] security/vuxml for audio/sox Log: Document buffer overflow vulnerabilities speciality crafted WAV and VOC files PR: 201778 CVE: CVE-2014-8145 Security: 9dd761ff-30cb-11e5-a4a5-002590263bf5 Security: 92cda470-30cb-11e5-a4a5-002590263bf5 Details: Details on the most recent vulnerability seem scare at the moment. Document the issue as of now and start tracking it in a PR. The VuXML also documents CVE-2014-8145 which was publicly announced on 20 Dec 2014. This was fixed in 14.4.2. It is indeed fixed in 14.4.2 as I cross-checked 14.4.2 with the Debian patches along with noting that it's mentioned in the SoX changelog: o Detect MS ADPCM WAV files with invalid blocks. (cbagwell) o Detect Sphere files with invalid header sizes. (cbagwell) Validation: > make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml > env PKG_DBDIR=/usr/ports/security/vuxml pkg audit sox-14.4.1 sox-14.4.1 is vulnerable: sox -- input sanitization errors CVE: CVE-2014-8145 WWW: https://vuxml.FreeBSD.org/freebsd/92cda470-30cb-11e5-a4a5-002590263bf5.html sox-14.4.1 is vulnerable: sox -- memory corruption vulnerabilities WWW: https://vuxml.FreeBSD.org/freebsd/9dd761ff-30cb-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found. > env PKG_DBDIR=/usr/ports/security/vuxml pkg audit sox-14.4.2 sox-14.4.2 is vulnerable: sox -- memory corruption vulnerabilities WWW: https://vuxml.FreeBSD.org/freebsd/9dd761ff-30cb-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found.
I can take this.
A commit references this bug: Author: feld Date: Thu Jul 23 15:39:32 UTC 2015 New revision: 392732 URL: https://svnweb.freebsd.org/changeset/ports/392732 Log: Document buffer overflow vulnerabilities in SoX PR: 201778 CVE: CVE-2014-8145 Security: 9dd761ff-30cb-11e5-a4a5-002590263bf5 Security: 92cda470-30cb-11e5-a4a5-002590263bf5 Changes: head/security/vuxml/vuln.xml
now we wait patiently for a patch or new release with the fix :-)
For the archives, here is the link to the upstream bug report for this issue: http://sourceforge.net/p/sox/bugs/265/ There also is another security tagged bug in their system that seems to be unsubstantiated with usable details at this time: http://sourceforge.net/p/sox/bugs/254/
Is this still open on purpose?
Yes. There is no solution for this upstream yet.
what is the current status?
Most of the depend ports are listed on Freshports are removed. Three ports have an option (e.g. logitechmediaserver). Only three are depend: audio/vsound, comms/freedv and multimedia/imagination.
audio/vsound: MASTER_SITES http://down1.chinaunix.net/distfiles/ \ <= not reachable http://freebsd.nsu.ru/distfiles/ <= last entry on this side 2013.
I'm closing in here (with hat: ports-secteam)