* [Buildroot] [PATCH 1/1] package/sox: security bump to latest git commit
@ 2021-02-03 20:00 Fabrice Fontaine
2021-02-04 17:20 ` Peter Korsgaard
2021-02-10 9:04 ` Peter Korsgaard
0 siblings, 2 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2021-02-03 20:00 UTC (permalink / raw)
To: buildroot
Bump to the latest git commit as this will fix the following CVEs:
git log|grep CVE
sox-fmt: validate comments_bytes before use (CVE-2019-13590) [bug #325]
fix possible null pointer deref in lsx_make_lpf() (CVE-2019-8357)
fft4g: bail if size too large (CVE-2019-8356)
fix possible overflow in lsx_(re)valloc() size calculation (CVE-2019-8355)
fix possible buffer size overflow in lsx_make_lpf() (CVE-2019-8354)
xa: validate channel count (CVE-2017-18189)
aiff: fix crash on empty comment chunk (CVE-2017-15642)
adpcm: fix stack overflow with >4 channels (CVE-2017-15372)
flac: fix crash on corrupt metadata (CVE-2017-15371)
wav: ima_adpcm: fix buffer overflow on corrupt input (CVE-2017-15370)
wav: fix crash writing header when channel count >64k (CVE-2017-11359)
hcom: fix crash on input with corrupt dictionary (CVE-2017-11358)
wav: fix crash if channel count is zero (CVE-2017-11332)
- Tweak configuration options due to
https://sourceforge.net/p/sox/code/ci/6ff0e9322f9891f5a6ac6c9b3bceffbfca16bec3
- libgsm is now an optional dependency since
https://sourceforge.net/p/sox/code/ci/e548827ffcf4dffa7f21709b8e96b04b481c09b8
- Add patch to put back --disable-stack-protector
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
....ac-put-back-disable-stack-protector.patch | 45 +++++++++++++++
package/sox/sox.hash | 4 +-
package/sox/sox.mk | 56 ++++++++++++++-----
3 files changed, 89 insertions(+), 16 deletions(-)
create mode 100644 package/sox/0002-configure.ac-put-back-disable-stack-protector.patch
diff --git a/package/sox/0002-configure.ac-put-back-disable-stack-protector.patch b/package/sox/0002-configure.ac-put-back-disable-stack-protector.patch
new file mode 100644
index 0000000000..28e2871f54
--- /dev/null
+++ b/package/sox/0002-configure.ac-put-back-disable-stack-protector.patch
@@ -0,0 +1,45 @@
+From 18ace560a15207503805d4df25b90c7a756bcbf6 Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Date: Tue, 2 Feb 2021 23:53:39 +0100
+Subject: [PATCH] configure.ac: put back --disable-stack-protector
+
+Put back --disable-stack-protector which has been removed by commit
+70c85915eace83142b84e4f65f5db421cf0c09e3. This will allow the user to
+disable it or to let a higher buildsystem such as buildroot to finely
+configure it.
+
+Indeed, without this patch, build can fail as some compilers (such as
+uclibc) could missed the needed library (-lssp or -lssp_nonshared) at
+linking step:
+
+ CCLD libsox.la
+/home/fabrice/br-test-pkg/br-arm-full/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/5.5.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: cannot find -lssp_nonshared
+/home/fabrice/br-test-pkg/br-arm-full/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/5.5.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: cannot find -lssp
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Upstream status: https://sourceforge.net/p/sox/patches/122/]
+---
+ configure.ac | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 39306398..a1665467 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -32,7 +32,12 @@ AC_PROG_LN_S
+ PKG_PROG_PKG_CONFIG
+ PKG_INSTALLDIR
+
+-AX_APPEND_COMPILE_FLAGS([-fstack-protector-strong])
++AC_ARG_ENABLE([stack-protector],
++ AS_HELP_STRING([--disable-stack-protector], [Disable -fstack-protector-strong]),
++ [enable_stack_protector=$enableval], [enable_stack_protector=yes])
++AS_IF([test x"$enable_stack_protector" = "xyes"],
++ [AX_APPEND_COMPILE_FLAGS([-fstack-protector-strong])])
++
+ AX_APPEND_COMPILE_FLAGS([-Wall -Wmissing-prototypes -Wstrict-prototypes])
+ AX_APPEND_LINK_FLAGS([-Wl,--as-needed])
+
+--
+2.29.2
+
diff --git a/package/sox/sox.hash b/package/sox/sox.hash
index 1a4a7dbf7f..d2006e0291 100644
--- a/package/sox/sox.hash
+++ b/package/sox/sox.hash
@@ -1,6 +1,4 @@
-# From http://sourceforge.net/projects/sox/files/sox/14.4.2/
-md5 ba804bb1ce5c71dd484a102a5b27d0dd sox-14.4.2.tar.bz2
-sha1 dc9668256b9d81ef25d672f14f12ec026b0b4087 sox-14.4.2.tar.bz2
# Locally computed
+sha256 3d06ba8fc39ac92f16da73593be48afe0a704fe4dc4f6eca2e5137ef77cd5115 sox-7524160b29a476f7e87bc14fddf12d349f9a3c5e-br1.tar.gz
sha256 ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6 LICENSE.GPL
sha256 5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62a LICENSE.LGPL
diff --git a/package/sox/sox.mk b/package/sox/sox.mk
index 8a1d87b230..4334355a91 100644
--- a/package/sox/sox.mk
+++ b/package/sox/sox.mk
@@ -4,14 +4,22 @@
#
################################################################################
-SOX_VERSION = 14.4.2
-SOX_SITE = http://downloads.sourceforge.net/project/sox/sox/$(SOX_VERSION)
-SOX_SOURCE = sox-$(SOX_VERSION).tar.bz2
-SOX_DEPENDENCIES = host-pkgconf
+SOX_VERSION = 7524160b29a476f7e87bc14fddf12d349f9a3c5e
+SOX_SITE = git://git.code.sf.net/p/sox/code
+SOX_SITE_METHOD = git
+SOX_DEPENDENCIES = host-autoconf-archive host-pkgconf
SOX_LICENSE = GPL-2.0+ (sox binary), LGPL-2.1+ (libraries)
SOX_LICENSE_FILES = LICENSE.GPL LICENSE.LGPL
SOX_CPE_ID_VENDOR = sound_exchange_project
SOX_CPE_ID_PRODUCT = sound_exchange
+# From git and we're patching configure.ac
+SOX_AUTORECONF = YES
+SOX_AUTORECONF_OPTS = --include=$(HOST_DIR)/share/autoconf-archive
+
+SOX_IGNORE_CVES += CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 \
+ CVE-2017-15370 CVE-2017-15371 CVE-2017-15372 CVE-2017-15642 \
+ CVE-2017-18189 CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 \
+ CVE-2019-8357 CVE-2019-13590
SOX_CONF_OPTS = \
--with-distro="Buildroot" \
@@ -19,92 +27,114 @@ SOX_CONF_OPTS = \
ifeq ($(BR2_PACKAGE_ALSA_LIB_PCM),y)
SOX_DEPENDENCIES += alsa-lib
+SOX_CONF_OPTS += --enable-alsa
else
-SOX_CONF_OPTS += --without-alsa
+SOX_CONF_OPTS += --disable-alsa
endif
ifeq ($(BR2_PACKAGE_FILE),y)
SOX_DEPENDENCIES += file
+SOX_CONF_OPTS += --with-magic
else
SOX_CONF_OPTS += --without-magic
endif
ifeq ($(BR2_PACKAGE_FLAC),y)
SOX_DEPENDENCIES += flac
+SOX_CONF_OPTS += --enable-flac
else
-SOX_CONF_OPTS += --without-flac
+SOX_CONF_OPTS += --disable-flac
endif
ifeq ($(BR2_PACKAGE_LAME),y)
SOX_DEPENDENCIES += lame
+SOX_CONF_OPTS += --with-lame
else
SOX_CONF_OPTS += --without-lame
endif
ifeq ($(BR2_PACKAGE_LIBAO),y)
SOX_DEPENDENCIES += libao
+SOX_CONF_OPTS += --enable-ao
+else
+SOX_CONF_OPTS += --disable-ao
+endif
+
+ifeq ($(BR2_PACKAGE_LIBGSM),y)
+SOX_DEPENDENCIES += libgsm
+SOX_CONF_OPTS += --enable-gsm
else
-SOX_CONF_OPTS += --without-ao
+SOX_CONF_OPTS += --disable-gsm
endif
ifeq ($(BR2_PACKAGE_LIBID3TAG),y)
SOX_DEPENDENCIES += libid3tag
+SOX_CONF_OPTS += --with-id3tag
else
SOX_CONF_OPTS += --without-id3tag
endif
ifeq ($(BR2_PACKAGE_LIBMAD),y)
SOX_DEPENDENCIES += libmad
+SOX_CONF_OPTS += --with-mad
else
SOX_CONF_OPTS += --without-mad
endif
ifeq ($(BR2_PACKAGE_LIBPNG),y)
SOX_DEPENDENCIES += libpng
+SOX_CONF_OPTS += --with-png
else
SOX_CONF_OPTS += --without-png
endif
ifeq ($(BR2_PACKAGE_LIBSNDFILE),y)
SOX_DEPENDENCIES += libsndfile
+SOX_CONF_OPTS += --enable-sndfile
else
-SOX_CONF_OPTS += --without-sndfile
+SOX_CONF_OPTS += --disable-sndfile
endif
ifeq ($(BR2_PACKAGE_LIBVORBIS),y)
SOX_DEPENDENCIES += libvorbis
+SOX_CONF_OPTS += --enable-oggvorbis
else
-SOX_CONF_OPTS += --without-oggvorbis
+SOX_CONF_OPTS += --disable-oggvorbis
endif
ifeq ($(BR2_PACKAGE_OPENCORE_AMR),y)
SOX_DEPENDENCIES += opencore-amr
+SOX_CONF_OPTS += --enable-amrwb --enable-amrnb
else
-SOX_CONF_OPTS += --without-amrwb --without-amrnb
+SOX_CONF_OPTS += --disable-amrwb --disable-amrnb
endif
ifeq ($(BR2_PACKAGE_OPUSFILE),y)
SOX_DEPENDENCIES += opusfile
+SOX_CONF_OPTS += --enable-opus
else
-SOX_CONF_OPTS += --without-opus
+SOX_CONF_OPTS += --disable-opus
endif
ifeq ($(BR2_PACKAGE_PULSEAUDIO),y)
SOX_DEPENDENCIES += pulseaudio
+SOX_CONF_OPTS += --enable-pulseaudio
else
-SOX_CONF_OPTS += --without-pulseaudio
+SOX_CONF_OPTS += --disable-pulseaudio
endif
ifeq ($(BR2_PACKAGE_TWOLAME),y)
SOX_DEPENDENCIES += twolame
+SOX_CONF_OPTS += --with-twolame
else
SOX_CONF_OPTS += --without-twolame
endif
ifeq ($(BR2_PACKAGE_WAVPACK),y)
SOX_DEPENDENCIES += wavpack
+SOX_CONF_OPTS += --enable-wavpack
else
-SOX_CONF_OPTS += --without-wavpack
+SOX_CONF_OPTS += --disable-wavpack
endif
$(eval $(autotools-package))
--
2.29.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/sox: security bump to latest git commit
2021-02-03 20:00 [Buildroot] [PATCH 1/1] package/sox: security bump to latest git commit Fabrice Fontaine
@ 2021-02-04 17:20 ` Peter Korsgaard
2021-02-04 18:02 ` Fabrice Fontaine
2021-02-10 9:04 ` Peter Korsgaard
1 sibling, 1 reply; 5+ messages in thread
From: Peter Korsgaard @ 2021-02-04 17:20 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Bump to the latest git commit as this will fix the following CVEs:
> git log|grep CVE
> sox-fmt: validate comments_bytes before use (CVE-2019-13590) [bug #325]
> fix possible null pointer deref in lsx_make_lpf() (CVE-2019-8357)
> fft4g: bail if size too large (CVE-2019-8356)
> fix possible overflow in lsx_(re)valloc() size calculation (CVE-2019-8355)
> fix possible buffer size overflow in lsx_make_lpf() (CVE-2019-8354)
> xa: validate channel count (CVE-2017-18189)
> aiff: fix crash on empty comment chunk (CVE-2017-15642)
> adpcm: fix stack overflow with >4 channels (CVE-2017-15372)
> flac: fix crash on corrupt metadata (CVE-2017-15371)
> wav: ima_adpcm: fix buffer overflow on corrupt input (CVE-2017-15370)
> wav: fix crash writing header when channel count >64k (CVE-2017-11359)
> hcom: fix crash on input with corrupt dictionary (CVE-2017-11358)
> wav: fix crash if channel count is zero (CVE-2017-11332)
> - Tweak configuration options due to
> https://sourceforge.net/p/sox/code/ci/6ff0e9322f9891f5a6ac6c9b3bceffbfca16bec3
> - libgsm is now an optional dependency since
> https://sourceforge.net/p/sox/code/ci/e548827ffcf4dffa7f21709b8e96b04b481c09b8
> - Add patch to put back --disable-stack-protector
It would be good if you could bring up this issue with upstream.
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/sox: security bump to latest git commit
2021-02-04 17:20 ` Peter Korsgaard
@ 2021-02-04 18:02 ` Fabrice Fontaine
2021-02-04 18:34 ` Peter Korsgaard
0 siblings, 1 reply; 5+ messages in thread
From: Fabrice Fontaine @ 2021-02-04 18:02 UTC (permalink / raw)
To: buildroot
Hi Peter,
Le jeu. 4 f?vr. 2021 ? 18:20, Peter Korsgaard <peter@korsgaard.com> a ?crit :
>
> >>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
>
> > Bump to the latest git commit as this will fix the following CVEs:
> > git log|grep CVE
> > sox-fmt: validate comments_bytes before use (CVE-2019-13590) [bug #325]
> > fix possible null pointer deref in lsx_make_lpf() (CVE-2019-8357)
> > fft4g: bail if size too large (CVE-2019-8356)
> > fix possible overflow in lsx_(re)valloc() size calculation (CVE-2019-8355)
> > fix possible buffer size overflow in lsx_make_lpf() (CVE-2019-8354)
> > xa: validate channel count (CVE-2017-18189)
> > aiff: fix crash on empty comment chunk (CVE-2017-15642)
> > adpcm: fix stack overflow with >4 channels (CVE-2017-15372)
> > flac: fix crash on corrupt metadata (CVE-2017-15371)
> > wav: ima_adpcm: fix buffer overflow on corrupt input (CVE-2017-15370)
> > wav: fix crash writing header when channel count >64k (CVE-2017-11359)
> > hcom: fix crash on input with corrupt dictionary (CVE-2017-11358)
> > wav: fix crash if channel count is zero (CVE-2017-11332)
>
> > - Tweak configuration options due to
> > https://sourceforge.net/p/sox/code/ci/6ff0e9322f9891f5a6ac6c9b3bceffbfca16bec3
> > - libgsm is now an optional dependency since
> > https://sourceforge.net/p/sox/code/ci/e548827ffcf4dffa7f21709b8e96b04b481c09b8
> > - Add patch to put back --disable-stack-protector
>
> It would be good if you could bring up this issue with upstream.
Already done and patch sent upstream as stated in
0002-configure.ac-put-back-disable-stack-protector.patch.
>
> Committed, thanks.
>
> --
> Bye, Peter Korsgaard
Best Regards,
Fabrice
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/sox: security bump to latest git commit
2021-02-04 18:02 ` Fabrice Fontaine
@ 2021-02-04 18:34 ` Peter Korsgaard
0 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2021-02-04 18:34 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
Hi,
>> It would be good if you could bring up this issue with upstream.
> Already done and patch sent upstream as stated in
> 0002-configure.ac-put-back-disable-stack-protector.patch.
Ups, sorry - Thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/sox: security bump to latest git commit
2021-02-03 20:00 [Buildroot] [PATCH 1/1] package/sox: security bump to latest git commit Fabrice Fontaine
2021-02-04 17:20 ` Peter Korsgaard
@ 2021-02-10 9:04 ` Peter Korsgaard
1 sibling, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2021-02-10 9:04 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Bump to the latest git commit as this will fix the following CVEs:
> git log|grep CVE
> sox-fmt: validate comments_bytes before use (CVE-2019-13590) [bug #325]
> fix possible null pointer deref in lsx_make_lpf() (CVE-2019-8357)
> fft4g: bail if size too large (CVE-2019-8356)
> fix possible overflow in lsx_(re)valloc() size calculation (CVE-2019-8355)
> fix possible buffer size overflow in lsx_make_lpf() (CVE-2019-8354)
> xa: validate channel count (CVE-2017-18189)
> aiff: fix crash on empty comment chunk (CVE-2017-15642)
> adpcm: fix stack overflow with >4 channels (CVE-2017-15372)
> flac: fix crash on corrupt metadata (CVE-2017-15371)
> wav: ima_adpcm: fix buffer overflow on corrupt input (CVE-2017-15370)
> wav: fix crash writing header when channel count >64k (CVE-2017-11359)
> hcom: fix crash on input with corrupt dictionary (CVE-2017-11358)
> wav: fix crash if channel count is zero (CVE-2017-11332)
> - Tweak configuration options due to
> https://sourceforge.net/p/sox/code/ci/6ff0e9322f9891f5a6ac6c9b3bceffbfca16bec3
> - libgsm is now an optional dependency since
> https://sourceforge.net/p/sox/code/ci/e548827ffcf4dffa7f21709b8e96b04b481c09b8
> - Add patch to put back --disable-stack-protector
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2020.02.x and 2020.11.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-02-10 9:04 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-03 20:00 [Buildroot] [PATCH 1/1] package/sox: security bump to latest git commit Fabrice Fontaine
2021-02-04 17:20 ` Peter Korsgaard
2021-02-04 18:02 ` Fabrice Fontaine
2021-02-04 18:34 ` Peter Korsgaard
2021-02-10 9:04 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.