An update for sox is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1931 Final 1.0 1.0 2023-12-15 Initial 2023-12-15 2023-12-15 openEuler SA Tool V1.0 2023-12-15 sox security update An update for sox is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. SoX is a cross-platform (Windows, Linux, MacOS X, etc.) command line utility that can convert various formats of computer audio files in to other formats. It can also apply various effects to these sound files, and, as an added bonus, SoX can play and record audio files on most platforms. Security Fix(es): A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function lsx_read_w_buf() in formats_i.c file. The vulnerability is exploitable with a crafted file, that could cause an application to crash.(CVE-2021-23159) A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function startread() in hcom.c file. The vulnerability is exploitable with a crafted hcomn file, that could cause an application to crash.(CVE-2021-23172) A floating point exception (divide-by-zero) issue was discovered in SoX in functon read_samples() of voc.c file. An attacker with a crafted file, could cause an application to crash.(CVE-2021-23210) A floating point exception (divide-by-zero) issue was discovered in SoX in functon startread() of wav.c file. An attacker with a crafted wav file, could cause an application to crash.(CVE-2021-33844) A floating point exception vulnerability was found in sox, in the lsx_aiffstartwrite function at sox/src/aiff.c:622:58. This flaw can lead to a denial of service.(CVE-2023-26590) A floating point exception vulnerability was found in sox, in the read_samples function at sox/src/voc.c:334:18. This flaw can lead to a denial of service.(CVE-2023-32627) A heap buffer overflow vulnerability was found in sox, in the startread function at sox/src/hcom.c:160:41. This flaw can lead to a denial of service, code execution, or information disclosure.(CVE-2023-34318) A heap buffer overflow vulnerability was found in sox, in the lsx_readbuf function at sox/src/formats_i.c:98:16. This flaw can lead to a denial of service, code execution, or information disclosure.(CVE-2023-34432) An update for sox is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High sox https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1931 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-23159 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-23172 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-23210 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-33844 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-26590 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-32627 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-34318 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-34432 https://nvd.nist.gov/vuln/detail/CVE-2021-23159 https://nvd.nist.gov/vuln/detail/CVE-2021-23172 https://nvd.nist.gov/vuln/detail/CVE-2021-23210 https://nvd.nist.gov/vuln/detail/CVE-2021-33844 https://nvd.nist.gov/vuln/detail/CVE-2023-26590 https://nvd.nist.gov/vuln/detail/CVE-2023-32627 https://nvd.nist.gov/vuln/detail/CVE-2023-34318 https://nvd.nist.gov/vuln/detail/CVE-2023-34432 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 sox-debugsource-14.4.2.0-29.oe1.aarch64.rpm sox-debuginfo-14.4.2.0-29.oe1.aarch64.rpm sox-devel-14.4.2.0-29.oe1.aarch64.rpm sox-14.4.2.0-29.oe1.aarch64.rpm sox-debugsource-14.4.2.0-29.oe1.aarch64.rpm sox-devel-14.4.2.0-29.oe1.aarch64.rpm sox-debuginfo-14.4.2.0-29.oe1.aarch64.rpm sox-14.4.2.0-29.oe1.aarch64.rpm sox-devel-14.4.2.0-29.oe2203.aarch64.rpm sox-14.4.2.0-29.oe2203.aarch64.rpm sox-debugsource-14.4.2.0-29.oe2203.aarch64.rpm sox-debuginfo-14.4.2.0-29.oe2203.aarch64.rpm sox-debuginfo-14.4.2.0-29.oe2203sp1.aarch64.rpm sox-14.4.2.0-29.oe2203sp1.aarch64.rpm sox-debugsource-14.4.2.0-29.oe2203sp1.aarch64.rpm sox-devel-14.4.2.0-29.oe2203sp1.aarch64.rpm sox-debuginfo-14.4.2.0-29.oe2203sp2.aarch64.rpm sox-14.4.2.0-29.oe2203sp2.aarch64.rpm sox-devel-14.4.2.0-29.oe2203sp2.aarch64.rpm sox-debugsource-14.4.2.0-29.oe2203sp2.aarch64.rpm sox-help-14.4.2.0-29.oe1.noarch.rpm sox-help-14.4.2.0-29.oe1.noarch.rpm sox-help-14.4.2.0-29.oe2203.noarch.rpm sox-help-14.4.2.0-29.oe2203sp1.noarch.rpm sox-help-14.4.2.0-29.oe2203sp2.noarch.rpm sox-14.4.2.0-29.oe1.src.rpm sox-14.4.2.0-29.oe1.src.rpm sox-14.4.2.0-29.oe2203.src.rpm sox-14.4.2.0-29.oe2203sp1.src.rpm sox-14.4.2.0-29.oe2203sp2.src.rpm sox-debuginfo-14.4.2.0-29.oe1.x86_64.rpm sox-devel-14.4.2.0-29.oe1.x86_64.rpm sox-14.4.2.0-29.oe1.x86_64.rpm sox-debugsource-14.4.2.0-29.oe1.x86_64.rpm sox-debugsource-14.4.2.0-29.oe1.x86_64.rpm sox-debuginfo-14.4.2.0-29.oe1.x86_64.rpm sox-devel-14.4.2.0-29.oe1.x86_64.rpm sox-14.4.2.0-29.oe1.x86_64.rpm sox-devel-14.4.2.0-29.oe2203.x86_64.rpm sox-14.4.2.0-29.oe2203.x86_64.rpm sox-debugsource-14.4.2.0-29.oe2203.x86_64.rpm sox-debuginfo-14.4.2.0-29.oe2203.x86_64.rpm sox-debugsource-14.4.2.0-29.oe2203sp1.x86_64.rpm sox-devel-14.4.2.0-29.oe2203sp1.x86_64.rpm sox-debuginfo-14.4.2.0-29.oe2203sp1.x86_64.rpm sox-14.4.2.0-29.oe2203sp1.x86_64.rpm sox-devel-14.4.2.0-29.oe2203sp2.x86_64.rpm sox-debugsource-14.4.2.0-29.oe2203sp2.x86_64.rpm sox-14.4.2.0-29.oe2203sp2.x86_64.rpm sox-debuginfo-14.4.2.0-29.oe2203sp2.x86_64.rpm A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function lsx_read_w_buf() in formats_i.c file. The vulnerability is exploitable with a crafted file, that could cause an application to crash. 2023-12-15 CVE-2021-23159 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H sox security update 2023-12-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1931 A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function startread() in hcom.c file. The vulnerability is exploitable with a crafted hcomn file, that could cause an application to crash. 2023-12-15 CVE-2021-23172 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H sox security update 2023-12-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1931 A floating point exception (divide-by-zero) issue was discovered in SoX in functon read_samples() of voc.c file. An attacker with a crafted file, could cause an application to crash. 2023-12-15 CVE-2021-23210 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H sox security update 2023-12-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1931 A floating point exception (divide-by-zero) issue was discovered in SoX in functon startread() of wav.c file. An attacker with a crafted wav file, could cause an application to crash. 2023-12-15 CVE-2021-33844 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H sox security update 2023-12-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1931 A floating point exception vulnerability was found in sox, in the lsx_aiffstartwrite function at sox/src/aiff.c:622:58. This flaw can lead to a denial of service. 2023-12-15 CVE-2023-26590 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H sox security update 2023-12-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1931 A floating point exception vulnerability was found in sox, in the read_samples function at sox/src/voc.c:334:18. This flaw can lead to a denial of service. 2023-12-15 CVE-2023-32627 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H sox security update 2023-12-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1931 A heap buffer overflow vulnerability was found in sox, in the startread function at sox/src/hcom.c:160:41. This flaw can lead to a denial of service, code execution, or information disclosure. 2023-12-15 CVE-2023-34318 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H sox security update 2023-12-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1931 A heap buffer overflow vulnerability was found in sox, in the lsx_readbuf function at sox/src/formats_i.c:98:16. This flaw can lead to a denial of service, code execution, or information disclosure. 2023-12-15 CVE-2023-34432 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 High 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H sox security update 2023-12-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1931