Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <be3467cc-dd23-426f-a3b4-b46e06e006a0@gmail.com>
Date: Tue, 24 Jun 2025 15:32:00 +0200
From: Martin Guy <martinwguy@...il.com>
To: oss-security@...ts.openwall.com
Subject: sox_ng fixes 20 CVEs in sox

HI!
   I thought I'd point operating systems packagers at sox_ng,
the Swiss Army knife of command-line audio processing
forked a year ago from sox.sf.net's last release, 14.4.2, of ten years ago
and fixing roughly 20 CVEs (all of them) including buffer overflows,
code injection via crafted sound files, and denials of service
(Segmentation faults and Floating Point Exceptions).

Most distros have 14.4.2 from 2015, some with a variety of patches and
a few base on sox.sf.net git HEAD from 2021-05 (ArchLinux, Artix,
buildroot, CRUX, FreeBSD, Gentoo, NixOS, OpenBSD, Parabola and Pisi Linux),
where not all CVEs are addressed and some that claim to be fixed aren't.

See https://codeberg.org/sox_ng/sox_ng/wiki/CVE for details.

Six distros have switched so far:
KaOS, Mageia, Rosa 13, stal/IX and T2 SDE install it as sox
and Solus provides both sox and sox_ng

The security-minded release is currently sox_ng-14.4.4
(14.5.* and 14.6.* have new features and possibly new bugs)

Keep up the good work

     M

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.