Bugzilla – Bug 1212060
VUL-0: CVE-2023-26590: sox: floating point exception in src/aiff.c
Last modified: 2024-05-29 11:16:01 UTC
CVE-2023-26590 A vulnerabilty was found in sox v14.4.3, Floating Point Exception vulnerability that exists in the lsx_aiffstartwrite function at sox/src/aiff.c:622:58. This vulnerability could lead to security issues such as denial of service. References: https://sourceforge.net/p/sox/bugs/370/. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-26590 https://bugzilla.redhat.com/show_bug.cgi?id=2212279
@Takashi: any idea who might feel responsible for sox? From the changes file there does not seem to be anybody who cares directly and selecting someone at random from multimedia:apps might also not be the best option. There are three more bugs..
(In reply to Robert Frohl from comment #2) > @Takashi: any idea who might feel responsible for sox? From the changes file > there does not seem to be anybody who cares directly and selecting someone > at random from multimedia:apps might also not be the best option. Actually that's the only way :) > There are three more bugs.. I suppose it's only for openSUSE, right? I can try patching if the fix patches are provided in the upstream.
(In reply to Takashi Iwai from comment #3) > (In reply to Robert Frohl from comment #2) > > > There are three more bugs.. > > I suppose it's only for openSUSE, right? I can try patching if the fix > patches are provided in the upstream. Yes, I think so. sox was dropped from SLE a while back. I will assign them to you then. Thanks!
It seems that this bug is fixed by the old bug fix CVE-2022-31650. I backported the patch taken from Debian.
Fixes submitted to Leap 15.4/15.5 and TW. Reassigned back to security team.
This is an autogenerated message for OBS integration: This bug (1212060) was mentioned in https://build.opensuse.org/request/show/1120242 Backports:SLE-15-SP4 / sox https://build.opensuse.org/request/show/1120243 Backports:SLE-15-SP5 / sox
openSUSE-SU-2023:0328-1: An update that fixes 10 vulnerabilities is now available. Category: security (important) Bug References: 1212060,1212061,1212062,1212063 CVE References: CVE-2019-13590,CVE-2021-23159,CVE-2021-33844,CVE-2021-3643,CVE-2021-40426,CVE-2022-31650,CVE-2022-31651,CVE-2023-32627,CVE-2023-34318,CVE-2023-34432 JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): sox-14.4.2-bp154.2.3.1
openSUSE-SU-2023:0329-1: An update that fixes 10 vulnerabilities is now available. Category: security (important) Bug References: 1212060,1212061,1212062,1212063 CVE References: CVE-2019-13590,CVE-2021-23159,CVE-2021-33844,CVE-2021-3643,CVE-2021-40426,CVE-2022-31650,CVE-2022-31651,CVE-2023-32627,CVE-2023-34318,CVE-2023-34432 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): sox-14.4.2-bp155.3.3.1
Thanks Takashi!
done, closing
Reopening: Missing in Leap 15.6. Please process incoming submission or fix in Leap 15.6 in your chosen way. (bug 1225537)
As per bug 1225537 now also fixed in Leap 15.6, closing