摘要:
sox security update
安全等级: Medium
公告ID: KylinSec-SA-2025-1129
发布日期: 2025年3月8日
关联CVE: CVE-2019-13590 CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 CVE-2019-8357
SoX is a cross-platform (Windows, Linux, MacOS X, etc.) command line utility that can convert various formats of computer audio files in to other formats. It can also apply various effects to these sound files, and, as an added bonus, SoX can play and record audio files on most platforms.
Security Fix(es):
An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h (startread function), there is an integer overflow on the result of integer addition (wraparound to 0) fed into the lsx_calloc macro that wraps malloc. When a NULL pointer is returned, it is used without a prior check that it is a valid pointer, leading to a NULL pointer dereference on lsx_readbuf in formats_i.c.(CVE-2019-13590)
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.(CVE-2019-8354)
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.(CVE-2019-8355)
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.(CVE-2019-8356)
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.(CVE-2019-8357)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2019-13590 | KY3.4-5A | sox | Fixed |
| CVE-2019-13590 | KY3.5.2 | sox | Fixed |
| CVE-2019-13590 | V6 | sox | Fixed |
| CVE-2019-8354 | KY3.4-5A | sox | Fixed |
| CVE-2019-8354 | KY3.5.2 | sox | Fixed |
| CVE-2019-8354 | V6 | sox | Fixed |
| CVE-2019-8355 | KY3.4-5A | sox | Fixed |
| CVE-2019-8355 | KY3.5.2 | sox | Fixed |
| CVE-2019-8355 | V6 | sox | Fixed |
| CVE-2019-8356 | KY3.4-5A | sox | Fixed |
| CVE-2019-8356 | KY3.5.2 | sox | Fixed |
| CVE-2019-8356 | V6 | sox | Fixed |
| CVE-2019-8357 | KY3.4-5A | sox | Fixed |
| CVE-2019-8357 | KY3.5.2 | sox | Fixed |
| CVE-2019-8357 | V6 | sox | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| sox-help | noarch | 14.4.2.0-31.kb1.ky3_4 |
| sox | x86_64 | 14.4.2.0-31.kb1.ky3_4 |
| sox-devel | x86_64 | 14.4.2.0-31.kb1.ky3_4 |
| sox | aarch64 | 14.4.2.0-31.kb1.ky3_4 |
| sox-devel | aarch64 | 14.4.2.0-31.kb1.ky3_4 |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| sox-help | noarch | 14.4.2.0-31.ks6 |
| sox | x86_64 | 14.4.2.0-31.ks6 |
| sox-devel | x86_64 | 14.4.2.0-31.ks6 |
| sox | aarch64 | 14.4.2.0-31.ks6 |
| sox-devel | aarch64 | 14.4.2.0-31.ks6 |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| sox-help | noarch | 14.4.2.0-31.ky3_5 |
| sox | x86_64 | 14.4.2.0-31.ky3_5 |
| sox-devel | x86_64 | 14.4.2.0-31.ky3_5 |
| sox | aarch64 | 14.4.2.0-31.ky3_5 |
| sox-devel | aarch64 | 14.4.2.0-31.ky3_5 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
