Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 14 Mar 2023 20:11:32 +0100
From: Steffen Nurpmeso <steffen@...oden.eu>
To: Helmut Grohne <helmut@...divi.de>
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: sox: patches for old vulnerabilities

Hello and greetings.

Helmut Grohne wrote in
 <20230314110138.GA1192267@...divi.de>:
 |On Fri, Feb 03, 2023 at 09:44:47PM +0100, Helmut Grohne wrote:
 |>  * CVE-2021-33844
 |
 |The original fix for this issue would cause a regression. After applying
 |it, sox would be unable to decode WAV GSM files. This has been reported
 ...
 |I see that most distributions (e.g. RedHat, SUSE, Gentoo, etc.) have not
 |picked up the faulty patch. Ubuntu inherited it from Debian and will
 |likely inherit the fix as it gets fixed in Debian releases.

You have chosen not to update to latest possible git(?).

  ...
 |From: Helmut Grohne <helmut@...divi.de>
 |Subject: wav: reject 0 bits per sample to avoid division by zero
 |Bug: https://sourceforge.net/p/sox/bugs/349/
 |Bug-Debian: https://bugs.debian.org/1021135
 ...
 |--- a/src/wav.c
 |+++ b/src/wav.c
 ...
 |     default:
 |+        if (ft->encoding.bits_per_sample == 0)
 |+        {
 |+            lsx_fail_errno(ft, SOX_EHDR, "WAV file bits per sample \
 |is zero");
 |+            return SOX_EOF;
 |+        }


Now, latest git removed support for built-in GSM, and i am too
lazy and angry (do not get me started on Microsoft and OAuth for
a normal "app" that is to read mail, they now no longer accept
simple token refresh but with re-authenticating a 1024 or so bit
password after 3600 seconds, and then fail to accept SMTP even
though it is included, POP3 is not there anyway even though
announced, but IMAP is right -- is anybody here??  But that is
off-topic; just like my single-line graylister fix to support
verbose logs in non-development code, sic) to check it.

_But_ .. "default" is mysterious, there is WAVE_FORMAT_GSM610
right above, and it is optional in latest git, which does not even
support the "default:" label.
How can you reach "default:", thus?

 |         wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sam\
 |         ple) / ft->signal.channels;
 |         ft->signal.length = wav->numSamples * ft->signal.channels;
 |}

 --End of <20230314110138.GA1192267@...divi.de>

Subdivision is a top-modern song of Rush, no?

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.