debian/0000755000000000000000000000000013424620406007167 5ustar debian/README.source0000644000000000000000000000077112106333472011353 0ustar Package Structure ----------------- Say the upstream SoX version is 14.4.1. The orig tarball is created by renaming sox-14.4.1.tar.gz to sox_14.4.1.orig.tar.gz . Modifying and Patching the Source --------------------------------- Patches are or can be applied using quilt. See the excellent tutorial on how to use quilt by Raphaël Hertzog: http://raphaelhertzog.com/2012/08/08/how-to-use-quilt-to-manage-patches-in-debian-packages/ -- Pascal Giard Tue, 22 Jan 2013 22:56:30 -0500 debian/changelog0000644000000000000000000010354313424620336011051 0ustar sox (14.4.1-3ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: Buffer overflow - debian/patches/0001-Check-for-minimum-size-sphere-headers.patch: Avoid integer underflow by validating the header_size_ul for NIST sphere formatted media files. - debian/patches/0002-More-checks-for-invalid-MS-ADPCM-blocks.patch: Check the number of samples in a wav block against the expected samples per block. - CVE-2014-8145 * SECURITY UPDATE: Division by zero - debian/patches/CVE-2017-11332.patch: wav: fix crash if channel count is zero - CVE-2017-11332 * SECURITY UPDATE: Division by zero - debian/patches/CVE-2017-11358.patch: hcom: fix crash on input with corrupt dictionary - CVE-2017-11358 * SECURITY UPDATE: Invalid memory read - debian/patches/CVE-2017-11359.patch: wav: fix crash writing header when channel count >64k - CVE-2017-11359 * SECURITY UPDATE: Buffer overflow - debian/patches/CVE-2017-15370.patch: wav: ima_adpcm: fix buffer overflow on corrupt input - CVE-2017-15370 * SECURITY UPDATE: Buffer overflow - debian/patches/CVE-2017-15371.patch: flac: fix crash on corrupt metadata - CVE-2017-15371 * SECURITY UPDATE: Buffer overflow - debian/patches/CVE-2017-15372.patch: adpcm: fix stack overflow with >4 channels - CVE-2017-15372 * SECURITY UPDATE: Use after free - debian/patches/CVE-2017-15642.patch: adpcm: fix a user after free and double free if an empty comment chunk follows a non-empty one. - CVE-2017-15642 * SECURITY UPDATE: NULL pointer dereference - debian/patches/CVE-2017-18189.patch: Prevent infinite loop caused by specifying zero channels in a header. Also add an upper bound to prevent overflow in multiplication - CVE-2017-18189 -- Mike Salvatore Thu, 31 Jan 2019 11:22:54 -0500 sox (14.4.1-3ubuntu1) trusty; urgency=medium * Build with dh-autoreconf instead of autotools-dev for new libtool. -- William Grant Tue, 31 Dec 2013 01:34:27 +0000 sox (14.4.1-3) unstable; urgency=low * [debian/rules]: - Added an explicit call to dh_installchangelogs as Ubuntu no longer does does it by default. It's important for us as it contains the list of past contributors. * [debian/docs]: - Fixed paths to files. -- Pascal Giard Mon, 15 Apr 2013 21:20:12 -0400 sox (14.4.1-2) unstable; urgency=low * [debian/libsox-fmt-base.install.in]: - Added all missing sndfile-derived formats. Thanks to Ulrich Klauer for the patch (LP: #1086889). * [debian/control]: - Removed duplicate section field for sox. Fixes lintian warning. - Added Build-Dep on autotools-dev for dh_autotools_dev. * [debian/rules]: - Use dh_autotools_dev to update the outdated autotools helper files. Fixes lintian warning. -- Pascal Giard Fri, 22 Feb 2013 22:38:19 -0500 sox (14.4.1-1) unstable; urgency=low * New upstream release. - Fixed misleading error message (closes: #676143). - Fixed early termination on Ogg Vorbis files with a non-power of two number of channels (closes: #672567). * [debian/source/format]: - Finally switched to dpkg-source 3.0 (quilt) format! * [debian/rules]: - No longer using CDBS and depricated makefiles, fixes lintian warnings "debian-rules-uses-deprecated-makefile". - Added multiarch support. * [debian/control]: - Added Vcs-Git and Vcs-Browser pointing to upstream VCS. - Added Pre-Depends on multiarch-support for libsox2, does not seem to be required for the other packages (contradiction in the documentation?), fixes lintian warning "missing-pre-dependency-on-multiarch-support". - Bumped Standards-Version to 3.9.3, no changes needed. - Set Multi-Arch on the shared libraries where appropriate. - Set Section to libs for all libsox* but libsox-dev. * [debian/patches/01_default_audio_driver_fallback.patch]: - Removed, fixed upstream. * [debian/compat]: - Bumped to 9 to automatically use dpkg-buildflags, fixes lintian warnings "hardening-no-relro" and some "hardening-no-fortify-functions" (there are still 5 false positives on the latter though). * [debian/watch]: - Updated watch file, thanks to Bart Martens . * [debian/README.source]: - Updated to reflect the much simplified packaging and usage of quilt. -- Pascal Giard Mon, 11 Feb 2013 22:25:36 -0500 sox (14.4.0-5) unstable; urgency=low * [debian/patches/01_default_audio_driver_fallback.patch]: - Updated to only use try_device() on pulseaudio. Thanks to Ulrich Klauer for the patch (closes: #676167). -- Pascal Giard Fri, 18 Jan 2013 22:29:15 -0500 sox (14.4.0-4) experimental; urgency=low * [debian/rules, debian/control, debian/libsox-fmt-ffmpeg.dirs, debian/libsox-fmt-ffmpeg.install]: - Explicitly disabled and removed ffmpeg support as it's broken. It is being depricated in the next upstream version anyway (closes: #693642). -- Pascal Giard Thu, 17 Jan 2013 21:18:45 -0500 sox (14.4.0-3) unstable; urgency=low * [debian/patches/01_default_audio_driver_fallback.patch]: - Added default audio driver fallback. Thanks to Rob Sykes for the patch (closes: #664301). -- Pascal Giard Sun, 06 May 2012 22:55:25 -0400 sox (14.4.0-2) unstable; urgency=low * [debian/sox.install, debian/libsox-dev.install]: - Removed brace expensions fixing lintian warning "brace-expansion-in-debhelper-config-file". * [debian/control]: - Added versioned dependency to format libraries, fixes upgrades in some use cases. - Added MP2 to short description of libsox-fmt-mp3. * [debian/copyright]: - Long due update, thanks to Ulrich Klauer for pointing this out. - libst is now libsox. - FFT code is no longer Audacity's GPL code. - Updated link to LGPL license to 2.1. -- Pascal Giard Sun, 11 Mar 2012 23:59:36 -0400 sox (14.4.0-1) unstable; urgency=low * New upstream release. - sox_format_quit() resets format counts (closes: #660552). - Added support for MP2 via TwoLAME. * [debian/patches/01_transition_to_libav.patch]: - Removed, fixed upstream. * [debian/control]: - Use arch wildcards and added missing whitespaces (closes: #651754). - Changed Build-Dep on libpng-dev instead of libpng12-dev (closes: #662509). - Bumped libsox1b to libsox2, interface changes. - Added Build-Dep on libtwolame-dev and updated libsox-fmt-mp3 description. -- Pascal Giard Tue, 06 Mar 2012 22:49:42 -0500 sox (14.3.2-3) unstable; urgency=low * [debian/control]: - Added armhf to architectures for which libsox-fmt-alsa should be built, thanks to Konstantinos Margaritis (closes: #645397). -- Pascal Giard Sat, 10 Dec 2011 23:53:50 -0500 sox (14.3.2-2) unstable; urgency=low * Dynamically link against libmp3lame now that it's part of main (closes: #627687). * Preparing for transition from ffmpeg to libav (closes: #638206). * [debian/rules]: - Removed --enable-dl-lame, no longer needed. * [debian/control]: - Added Build-Dep on libmp3lame-dev. - Updated libsox-fmt-mp3 to reflect the change. * [debian/patches/01_transition_to_libav.patch]: - Added support for libav while still supporting ffmpeg. -- Pascal Giard Sun, 21 Aug 2011 23:57:28 -0400 sox (14.3.2-1) unstable; urgency=low * New upstream release (closes: #616098). - Fixed segfault for some LADSPA effects (closes: #555940). - Fixed --with-dyn-default for sndfile, amr-nb and arm-wb. * [debian/patches/01_fix_ffmpeg_alignment.patch]: - Removed, fixed upstream. * [debian/control]: - Fixed build-dep minimum required version of liavcodec to 4:0.6.0. The mips arch currently fails to build as it is still at 0.5.x. - Modified libsox-fmt-mp3 to include a note on mp3 support. * [debian/rules]: - Removed --without-lame and added --enable-dl-lame to configure flags. LAME can now be detected at runtime; the user HAS to install LAME himself (closes: #382275, #480180). * [debian/libsox-fmt-base.install]: - Added new dynamic libraries for sndfile, amr-nb and amr-wb. -- Pascal Giard Wed, 02 Mar 2011 11:04:21 -0500 sox (14.3.1-2) unstable; urgency=low * [debian/patches/01_fix_ffmpeg_alignment.patch]: - Fixed ffmpeg segfault caused by alignment requirements, thanks to Reuben Thomas (closes: #537511). * [debian/rules]: - Set distro based on the build distribution, thanks to Benjamin Drung for the patch (closes: #612409). - Removed -D_REENTRANT from CFLAGS. * [debian/control, debian/copyright, debian/libsox-dev.install]: - Executed wrap-and-sort from ubuntu-dev-tools as suggested by Benjamin Drung , thanks! (closes: #612410). * [debian/control]: - Bumped standard version to 3.9.1. * [debian/source/format]: - Specified format 1.0 (TODO: move to quilt 3.0). -- Pascal Giard Fri, 11 Feb 2011 21:13:57 -0500 sox (14.3.1-1) unstable; urgency=medium * New upstream release. - Single-threaded is now default (closes: #546944). - Support for OpenCore-derived implementation of AMR (closes: #193348). * [debian/control]: - Improved PulseAudio integration. - Bumped standard version to 3.8.3, no changes required. - Removed duplicate section control field, inherited from source. - Removed Guenter Geiger from uploaders (closes: #546952). - Removed depend on alsa for fmt-all on non-Linux systems (closes: #539224). - Added build-dep on libopencore-amrnb-dev and libopencore-amrwb-dev. - Bumped Standards-Version to 3.8.4, no changes needed. - Bumped libsox1a to libsox1b, interface changes. * [debian/changelog]: - Fixed to spelling errors reported by Lintian. * [debian/README.source]: - Fixed typo. * [debian/docs]: - Added README.source (really fixes #522548). * [debian/libsox-fmt-base.install]: - Removed formats now in libsox. * [debian/rules]: - Enable amr-nb and amr-wb as there is now an implementation in main. -- Pascal Giard Wed, 05 May 2010 14:33:18 -0400 sox (14.3.0-1.1) unstable; urgency=low * Non-maintainer upload. * Add missing Replaces from libsox-fmt-base to libsox-fmt-sndfile. Fix file overwrite errors when upgrading from Lenny. (Closes: #540497) -- Stefano Zacchiroli Sun, 04 Oct 2009 14:44:45 +0200 sox (14.3.0-1) unstable; urgency=low * New upstream release. * [debian/control]: - Added build depend on libpulse-dev. - Added PulseAudio package. - Bumped libsox1 to libsox1a, new version is binary incompatible. * [debian/rules]: - Added distro name. - Added dynamic library configure flag. - Re-enabled libmagic as it's not used by default anymore. - Explicitly disabled amrwb and amrnb. - Removed now useless --disable-rpath flag. - Made patch target available at all times. * [debian/libsox-fmt-pulse.dirs,debian/libsox-fmt-pulse.install]: - Added PulseAudio library. * [debian/libsox-fmt-base.install]: - Removed formats libraries that are now included in libsox. * [debian/mime]: - Fixed by moving the argument before the filename, thanks to Robert Grimm (closes: #530899). * [debian/README.source]: - Added documentation on the debian source package. This follows section 4.14 of the Debian Policy Manual (closes: #522548). * [debian/watch]: - Bump version to 3 as recommended by uscan manpage. -- Pascal Giard Sat, 04 Jul 2009 12:55:41 -0400 sox (14.2.0-2) unstable; urgency=low * [debian/rules]: Disabled libmagic (closes: #521639, #522241). * [debian/control]: - Added misc-Depends to all packages. - Updated version of build depend on debhelper to 7. - Updated standard version to 3.8.1, no changes required. * [debian/watch]: Use sourceforge.net redirector. * [debian/compat]: Bumped debhelper compat version to 7. * [debian/copyright]: Refer to versioned GPL-2 and LGPL-2 files. -- Pascal Giard Thu, 09 Apr 2009 23:37:14 -0400 sox (14.2.0-1) unstable; urgency=low * New upstream release (closes: #479557, #484562, #499041). * [debian/control]: - libsox1 replaces libsox0a. - Improved libsox1 short and long descriptions (closes: #493483). - Moved Homepage field to source. - Prevented libsox-fmt-alsa from being packaged where alsa doesn't exist. - Improved libsox-fmt-base description by giving format examples. - Added Build-Dep on libmagic-dev. -- Pascal Giard Tue, 25 Nov 2008 21:29:26 -0500 sox (14.1.0-1) unstable; urgency=medium * New upstream release: - Adds support for for the 2, 2.6 and 4-bit ADPCM .voc (closes: #103479). - Adds pkgconfig support (closes: #462704). - Fixes issue with ALSA playback (closes: #474961). - Adds many formats supported by sndfile. * [debian/libsox-fmt-base.install]: - Removed auto library, no longer exists upstream. - Added Hidden Markov Model speech processing format (htk) library. - Added Aaron Wallace's `Sounder' of 1991 format (sndr) library. - Added Martin Hepperle's `SoundTool' of 1991/2 format (sndt) library. - Added WavPack format (wv) library. - Added Apples's Core Audio Format (caf) library. - Added Ensoniq PARIS digitial audio format (fap, paf) libraries. - Added Gnu Octave 2.0 and 2.1 format (mat, mat4, mat5) libraries. - Added Portable Voice Format (pvf) library. - Added Sound Designer II format (sd2) library. - Added Sound Forge Audio Format (w64) library. - Added Fasttracker 2 format (xi) library. * [debian/libsox-dev.install]: - Added pkgconfig file. * [debian/sox.install]: - Added soxi, a utility to extract/display file header fields. * [debian/patches/00-fix-segfault-64bit.diff]: - Removed, fixed upstream. * [debian/rules]: - Disabled patch system, no more patches. - Added -I/usr/include/ffmpeg to CPPFLAGS, required by ffmpeg >= 20080225. * [debian/control]: - Added Build-Dep on libavutil-dev, libwavpack-dev and libpng12-dev. - Fixed lintian warning, "meta package" changed to "metapackage". - Bumped Standards-Version to 3.8.0, needed changes were already made. - Removed libsox-fmt-gsm and libsox-fmt-sndfile, merged in libsox-fmt-base. - Added merged packages to Replaces field of libsox-fmt-base. - Bumped libsox0 to libsox0a, new version is binary incompatible. * [debian/libsox-fmt-gsm.install, debian/libsox-fmt-gsm.dirs, debian/libsox-fmt-libsndfile.install, debian/libsox-fmt-libsndfile.dirs, debian/libsox-fmt-flac.install, debian/libsox-fmt-flac.dirs, debian/libsox-fmt-ogg.install, debian/libsox-fmt-ogg.dirs]: - Removed, merged gsm, libsndfile, flac and ogg in libsox-fmt-base. -- Pascal Giard Thu, 31 Jul 2008 08:12:08 -0400 sox (14.0.1-2) unstable; urgency=low * [debian/libsox-dev.install]: - Added libsfx.a and libsfx.so symlinks to libsox-dev (closes: #463800). - Removed *.la files. * [debian/patches/00-fix-segfault-64bit.diff]: - Fixed segfault on 64bit cpus with tempo and key effects (closes: #461300). Thanks to Sami Liedes . * [debian/rules]: - Enabled patch system. -- Pascal Giard Wed, 13 Feb 2008 10:41:29 -0500 sox (14.0.1-1) unstable; urgency=low * New upstream release: - Report remaining playtime of mp3s (closes: #431120). * [debian/control]: - Added libid3tag0-dev to Build-Depends. - Bumped libsox-fmt-all, libsox-fmt-alsa | libsox-fmt-ao | libsox-fmt-oss to Depends for sox (closes: #450802, #454177, #460503). - Use Homepage field fixing lintian warnings. - Moved libsox-dev to libdevel section. - Bumped Standards-Version to 3.7.3. * [debian/rules]: Fix unoptimized build by using CFLAGS instead of DEB_CONFIGURE_SCRIPT_ENV (closes: #461001). -- Pascal Giard Sat, 09 Feb 2008 08:56:17 -0500 sox (14.0.0-5) unstable; urgency=low * [debian/control]: - Copied libsox0 Recommends and Suggests to sox (closes: #447903). -- Pascal Giard Wed, 24 Oct 2007 20:53:53 -0400 sox (14.0.0-4) unstable; urgency=low * [debian/control]: - Fixed depends for libsox-dev, libsox-fmt-base became libsox-fmt-all. - Fixed circular dependency libsox0 <--> libsox-fmt-base. + libsox0 no longer requires libsox-fmt-base (closes: #444926). + Added libsox-fmt-base to Recommends. + Retrograded libsox-fmt-all from Recommends to Suggests. + Improved long description of sox. -- Pascal Giard Tue, 02 Oct 2007 21:14:39 -0400 sox (14.0.0-3) unstable; urgency=low * [debian/control]: - Added missing Build-Dep on libavformat-dev (closes: #444657). -- Pascal Giard Sun, 30 Sep 2007 14:46:46 -0400 sox (14.0.0-2) unstable; urgency=low * [debian/control]: Proper short description for format packages. -- Pascal Giard Sat, 29 Sep 2007 12:50:27 -0400 sox (14.0.0-1) unstable; urgency=low * New upstream release: - Another important release, please see the upstream changelog. - Adds dynamic libraries. - Adds playlist support (closes: #119470). - Uses libao output (closes: #391514, #421682). - Big-endian fix (closes: #421682). - Invalid pointer fix (closes: #414977). - la to wav conversion fix (closes: #435362). - FLAC support fix (closes: #437130). - Fixes extra noise at end of wav files (closes: #436012). * [debian/control]: - sox-dev renamed to libsox-dev. - Created libsox0 package that contains the SoX library. - Fixed sound file types description. - Added build dependency on libao-dev, libltdl3-dev, ladspa-sdk and libavcodec-dev. - No longer conflicting with libst and libst-dev. - Splitted format libraries in different packages (libsox-fmt-foo). - Added !hurd-i386 to dependency on libasound-dev (closes: #440470). - Replaced ${Source-Version} with ${binary:Version}. * [debian/libsox-dev.dirs]: - Added /usr/lib/sox/ for format plugins. * [debian/libsox0.install, debian/libsox-dev.install]: - Added library. * [debian/libsox-fmt-*]: - Added format plugins. * [debian/rules]: - Removed fPIC from CFLAGS as libtool takes care of it upstream. - Removed LDFLAGS -Wl,-z,defs as upstream is now doing it. - Added DEB_DH_MAKESHLIBS_ARGS -Xfmt to avoid useless calls to ldconfig. - Fixed lintian binary-or-shlib-defines-rpath warnings with configure flag. -- Pascal Giard Wed, 12 Sep 2007 12:10:38 -0400 sox (13.0.0-1) unstable; urgency=low * New upstream version: - Huge amount of changes (closes: #345726, #274519, #257525). - Please see the upstream changelog. - Warning: some scripts may break with this new version. - Guenter set as co-maintainer. - soxmix no longer exists (closes: #349178, #374096). * Taking over the package with Guenter's permission. - Thanks alot for all those years of maintenance! * [debian/control]: - Added build-depends on libsamplerate0-dev, libgsm1-dev and libsndfile1-dev. - Added !kfreebsd-amd64 to libasound2-dev (closes: #361487). * [debian/patches]: No more patches, everything is fixed upstream. * [debian/rules]: - Added -D_REENTRANT as required by policy on libraries. - Added -Wl,-z,defs to enforce symbol resolution at build time. - Disabled shared library for now, see README.Debian. * [debian/README.Debian]: - Added instructions to build from CVS. - Added information as to why shared lib is disabled for now. -- Pascal Giard Fri, 23 Feb 2007 12:07:50 -0500 sox (12.18.2-2) unstable; urgency=low * [debian/patches/01_fix_draining.patch]: - Unofficial patch from upstream that fixes all effects relying on draining. Thanks to Chris Bagwell . * [debian/copyright]: Removed reminiscence of the old version. * [debian/patches/03_fix_manpage_typos.patch]: - Fixed typos in sox.1 and play.1 manpages. Thanks to A. Costa (closes: #404290, #404288). -- Pascal Giard Sat, 23 Dec 2006 14:09:53 -0500 sox (12.18.2-1) unstable; urgency=low * Changes by Pascal Giard - New upstream version (closes: #397388, #374369). - [debian/rules]: Compiling with -fPIC (closes: #390715). - [debian/control]: Standards-Version bumped to 3.7.2, -fPIC was required. - [debian/copyright]: Fixed license attribution (closes: #398723). - [debian/patches/06_eof.patch]: Deleted, fixed upstream. * Fixed date format in changelog - New upstream version (closes: #336542, #402862) -- Guenter Geiger (Debian/GNU) Tue, 5 Dec 2006 18:40:43 +0100 sox (12.17.9-1) unstable; urgency=low * New upstream version * Added ALSA support * Use play script from version 12.17.18 with multiple file support, I do not dare to switch to the new behaviour and ALSA by default yet. -- Guenter Geiger (Debian/GNU) Thu, 15 Dec 2005 12:47:16 +0100 sox (12.17.8-1) unstable; urgency=low * New upstream version * New standards version -- Guenter Geiger (Debian/GNU) Thu, 22 Sep 2005 14:31:55 +0200 sox (12.17.7-2) unstable; urgency=low * Moved ststdint.h to -dev package * fixed disk full problem (0_eof.patch) (closes: #313206) * sox-dev replaces earlier sox versions, upgrading should be save (closes: #162942) * sox-dev includes st.h, st_i.h is only meant for sox internal use (closes: #254846) * Problem with rec script fixed upstream (closes: #272080) * Added soxexam.1 manpage (closes: #307661) * Applied patch for fixing -x behaviour (closes: #316346) * Applied manpage typo patch (closes: #302819) -- Guenter Geiger (Debian/GNU) Fri, 15 Jul 2005 18:22:03 +0200 sox (12.17.7-1) unstable; urgency=low * New upstream version * removed free comment patch * OGG serial number bug fixed upstream (closes: #277288) * Added headers for -dev package in .install file (closes: #254846) -- Guenter Geiger (Debian/GNU) Fri, 18 Mar 2005 12:43:34 +0100 sox (12.17.5-4) unstable; urgency=low * Disabled broken ALSA support (closes: #274151) -- Guenter Geiger (Debian/GNU) Fri, 8 Oct 2004 19:16:37 +0200 sox (12.17.5-3) unstable; urgency=low * removed free() call for ft->format in wav.c (closes: #267147) -- Guenter Geiger (Debian/GNU) Tue, 24 Aug 2004 10:57:44 +0200 sox (12.17.5-2) unstable; urgency=low * Fixed the dangling symlink problem (closes: #266301) -- Guenter Geiger (Debian/GNU) Tue, 17 Aug 2004 15:29:00 +0200 sox (12.17.5-1) unstable; urgency=low * New upstream release * moved to patch system (for Debian applied patches see debian/patches) * added watch file * added Homepage in control file -- Guenter Geiger (Debian/GNU) Sun, 15 Aug 2004 22:28:45 +0200 sox (12.17.4-9) unstable; urgency=low * Applied security patch (http://secunia.com/advisories/12175/) (closes: 262083) * Applied patch to resample.c for correct function definitino (closes: 262085) thanks to Adam Majer * Fixed vorbis debug output (closes: 250272) * patched vorbis.c to create correct comment entries (closes: 244163) -- Guenter Geiger (Debian/GNU) Fri, 30 Jul 2004 13:47:29 +0200 sox (12.17.4-8) unstable; urgency=low * patched wav.c with datalength patch. Thanks to Steven Critchfield (closes: 238794) * sox.1 manpage now documents the correct default bahaviour (logarithmic) for fade effect (closes: 140573) * Compand effect seems to be fixed upstream (closes: 216791) * remove documentation for split effect from manpage. split doesn't exist (closes: 220194) * Disabled passing of options to sox (for consistency) (closes: 241653) * patched swap effect, fixes usage of swap with parameters 1 1 (closes: 242051) * Updated play.1 man page (fixed wording) -- Guenter Geiger (Debian/GNU) Mon, 5 Apr 2004 11:12:48 +0200 sox (12.17.4-7) unstable; urgency=low * debian/rules use cdbs * fixed libst-config behavious (closes: #223672) * removed pick effect (same as avg) from description (closes: #188672) -- Guenter Geiger (Debian/GNU) Tue, 13 Jan 2004 17:07:02 +0100 sox (12.17.4-6.1) unstable; urgency=low * NMU * Remove bash-ism from usr/bin/play (closes: #222157, #207001, #219608) * Fix call to ln in debian/rules (closes: #217373) * Remove commented debhelper calls from debian/rules. * Update debian/copyright file to indicate that sox is distributed under the LGPL, and note it's new upstream website (closes: #210194) * Bump to Standards-Version 3.6.1 -- Paul Cupis Sat, 3 Jan 2004 16:04:22 +0000 sox (12.17.4-6) unstable; urgency=low * removed pan debug message (closes: #202839) -- Guenter Geiger (Debian/GNU) Sat, 26 Jul 2003 14:41:57 +0200 sox (12.17.4-5) unstable; urgency=low * added help message to play with wrong arguments (closes: #174033) * extended the description (closes: #184034) -- Guenter Geiger (Debian/GNU) Thu, 17 Jul 2003 18:06:41 +0200 sox (12.17.4-4) unstable; urgency=low * make copying of new config.guess, config.sub optional in rules * added libmad0 and libasound2-dev build depend -- Guenter Geiger (Debian/GNU) Wed, 19 Mar 2003 13:53:36 +0100 sox (12.17.4-3) unstable; urgency=low * copied new config.guess, config.sub (closes: #185240) -- Guenter Geiger (Debian/GNU) Tue, 18 Mar 2003 12:08:29 +0100 sox (12.17.4-2) unstable; urgency=low * fixed dangling rec link -- Guenter Geiger (Debian/GNU) Tue, 18 Mar 2003 11:08:29 +0100 sox (12.17.4-1) unstable; urgency=low * new upstream version * Sox crashes on specific input problem fixed (closes: #166440) * rec filename problem fixed (closes: #175072) * Dependency problem seems to be gone (closes: #154951) -- Guenter Geiger (Debian/GNU) Thu, 27 Feb 2003 13:26:15 +0100 sox (12.17.3-6) unstable; urgency=low * fixed audio rate bug (closes: #164033) -- Guenter Geiger (Debian/GNU) Fri, 11 Oct 2002 13:11:24 +0200 sox (12.17.3-5) unstable; urgency=low * added Replaces to sox-dev, able to overwrite old sox files. * patched play (vadim_t _a_ teleline.es) (closes: 163726) (closes: 151344) * patched rec (vadim_t _a_ teleline.es) (closes: 163728) * removed the user path (@PREFIX@) from play.in (closes: 146650) * updated config.guess and config.sub (closes: 155228) * manpage states now that "-e" is only useful with stat effect (closes: 121156) * Trying to convert raw files now prints more verbose error message (closes: 121798) * removed split from manpage (can be done with -c 2) (closes: 148614) * fixed typo in play manpage (closes: 159876) -- Guenter Geiger (Debian/GNU) Mon, 30 Sep 2002 12:48:17 +0200 sox (12.17.3-4.1) unstable; urgency=low * NMU to fix breakage caused by libvorbis0 split. -- Christopher L Cheney Mon, 29 Jul 2002 23:00:00 -0500 sox (12.17.3-4) unstable; urgency=low * fixed the rec script (closes: #143262) -- Guenter Geiger (Debian/GNU) Tue, 30 Apr 2002 17:24:18 +0200 sox (12.17.3-3) unstable; urgency=low * included patch for PPC (Closes: #132227) * reuploaded original source -- Guenter Geiger (Debian/GNU) Wed, 3 Apr 2002 19:06:10 +0200 sox (12.17.3-2) unstable; urgency=low * fixed override disparity (sox-dev section = devel) -- Guenter Geiger (Debian/GNU) Mon, 25 Feb 2002 10:17:36 +0100 sox (12.17.3-1) unstable; urgency=low * new upstream * split package into sox and sox-dev (sttools) * inlcuded vorbis support * remove PATH statement in play (closes: #129836) -- Guenter Geiger (Debian/GNU) Thu, 17 Jan 2002 10:39:27 +0100 sox (12.17.2-1) unstable; urgency=low * new upstream version (closes: #117665) * (closes: #117122) gsm playback * (closes: #119459) trim effect * (closes: #79402) dat -> wav conversion fails -- Guenter Geiger (Debian/GNU) Wed, 14 Nov 2001 11:34:19 +0100 sox (12.17.1-5.1) unstable; urgency=low * Non-Maintainer Upload. * debian/control: + fixed Build-Depends (debhelper needs to be >= 1.2.64, as it uses dh_installmime), libgsm1-dev shouldn't be a Build-Depend on hurd-i386 (closes: #110556). + Standards-Version: 3.5.6.0. * debian/rules: removed dh_suidregister calls. -- Jordi Mallach Tue, 30 Oct 2001 18:04:05 +0100 sox (12.17.1-5) unstable; urgency=low * added build depends, fixed manpage typo (closes: #113528 #110556 #113985) -- Guenter Geiger (Debian/GNU) Fri, 4 May 2001 15:26:33 +0200 sox (12.17.1-4.1) unstable; urgency=low * NMU. * Added autoconf test for sizeof(unsigned long) and used that result to declare ULONG (instead of just #ifdef __alpha__). -- Jeff Licquia Thu, 30 Aug 2001 11:14:44 -0600 sox (12.17.1-4) unstable; urgency=low * endianess patch applied (closes: #98268), fixed Makefile.in (closes: #97940) -- Guenter Geiger Wed, 23 May 2001 18:26:33 +0200 sox (12.17.1-3) unstable; urgency=low * fixed aiff handling, play manpage update (closes: #96192) -- Guenter Geiger Fri, 4 May 2001 15:26:33 +0200 sox (12.17.1-2) unstable; urgency=low * fixed rec link (closes: #93264), fixed bug in .au files (closes: #93173) -- Guenter Geiger Mon, 9 Apr 2001 15:26:33 +0200 sox (12.17.1-1) unstable; urgency=low * new upstream version (closes: #92969, #61788, #71629, #86162, #91332, #84265, #85181) -- Guenter Geiger Fri, 6 Apr 2001 13:03:23 +0200 sox (12.16-9) unstable; urgency=low * play and rec script fixes with devfs, (closes: #81951) -- Guenter Geiger Mon, 22 Jan 2001 12:03:23 +0100 sox (12.16-8) unstable; urgency=low * mime type fix closes: Bug?????? -- Guenter Geiger Fri, 22 Sep 2000 22:03:23 +0200 sox (12.16-7) unstable; urgency=low * fixed odd sample rates when soundcard doesn't support correct ones -- Guenter Geiger Mon, 29 May 2000 20:30:23 +0100 sox (12.16-6) frozen unstable; urgency=low * patch for "smart" --silent option from Paul Slootman Mon, 28 Feb 2000 19:45:36 +0100 sox (12.16-5) frozen unstable; urgency=low * folded in patch for sh compatibility code by Adel Belhouane , closing bug#58511 -- Guenter Geiger Sun, 20 Feb 2000 15:03:04 +0100 sox (12.16-4) frozen unstable; urgency=low * fixes Bug#58360 (broken mime), Bug#43914 verbose play, Bug #26367 accept several filenames -- Guenter Geiger Fri, 18 Feb 2000 14:21:03 +0100 sox (12.16-3) unstable; urgency=low * fixed Bug#43394 compilation bug on machines without sound support -- Guenter Geiger Tue, 24 Aug 1999 10:02:00 +0200 sox (12.16-2) unstable; urgency=low * installed mime files -- Guenter Geiger Fri, 23 Jul 1999 16:45:00 +0200 sox (12.16-1) unstable; urgency=low * fixed "spaces" bug again, fixed #26367 playing multiple files moved to debhelper, added libst.a to package, fixed #40849 stereo to mono conversion does not work. -- Guenter Geiger Tue, 22 Jul 1999 14:30:00 +0200 sox (12.15-2) unstable; urgency=low * fixed bug in play script (spaces in filenames) -- Guenter Geiger Sat, 15 May 1999 12:16:00 +0200 sox (12.15-1) unstable; urgency=low * new upstream version, which fixed most of the bugs -- Guenter Geiger Sun, 27 Sep 1998 01:30:00 +0200 sox (12.14-2) unstable; urgency=low * Close Bug#23733: sox: play fails, bug in argument parsing (getopt) -- Geiger Guenter Thu, 25 Jun 1998 10:00:00 +0100 sox (12.14-1) unstable; urgency=low * new upstream version with most of Debian patches included -- Geiger Guenter Tue, 18 May 1998 8:50:00 +0100 sox (11gamma-cb3-5) unstable; urgency=low * Close bug Bug#18608: sox: postinst script failure Bug#18623: sox: bad postinst -- Geiger Guenter Sun, 26 Feb 1998 8:50:00 +0100 sox (11gamma-cb3-4) unstable; urgency=low * Close bug Bug#18150: register "play" with mime-support -- Geiger Guenter Sun, 13 Feb 1998 12:05:00 +0100 sox (11gamma-cb3-3) unstable; urgency=low * Closes bugs #15923 sox: -v option is ignored and #14103 (sox dumps core) -- Geiger Guenter Sun, 14 Dec 1997 13:25:00 +0100 sox (11gamma-cb3-2) unstable; urgency=low * Closes bugs #15138 (Uploaded sox 11gamma-cb3-1.1 (source i386) to master) #8456 sox: problem with -e option -- Geiger Guenter Mon, 1 Dec 1997 13:00:00 +0100 sox (11gamma-cb3-1) unstable; urgency=low * New Maintainer release. * Heavily patched to get rid of the use of long as 32 bit integer. -- Geiger Guenter Tue, 14 Oct 1997 15:48:47 +0100 sox (11gamma-cb3-0.0) unstable; urgency=low * Non maintainer release. This package hasn't been updated since May '96. * New upstream version. New source format. Pristine source. Libc6. A complete repackaging, in fact. * Included 2 more doc files in the package. * Closes bugs #9451, #11724. -- Joey Hess Sat, 30 Aug 1997 20:48:47 -0400 Local variables: mode: debian-changelog End: debian/libsox-fmt-mp3.install.in0000644000000000000000000000014112106333472013741 0ustar debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_mp3.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/libsox-dev.dirs.in0000644000000000000000000000011212106333472012525 0ustar usr/lib/@DEB_HOST_MULTIARCH@ usr/lib/@DEB_HOST_MULTIARCH@/sox usr/include debian/libsox-fmt-ao.dirs.in0000644000000000000000000000004112106333472013133 0ustar usr/lib/@DEB_HOST_MULTIARCH@/sox debian/libsox2.dirs.in0000644000000000000000000000003512106333472012037 0ustar usr/lib/@DEB_HOST_MULTIARCH@ debian/compat0000644000000000000000000000000212106333472010365 0ustar 9 debian/rules0000755000000000000000000000160312260420133010237 0ustar #!/usr/bin/make -f # -*- mode: makefile; coding: utf-8 -*- # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) PREPROCESS_FILES := $(wildcard debian/*.in) $(PREPROCESS_FILES:.in=): %: %.in sed 's,/@DEB_HOST_MULTIARCH@,$(DEB_HOST_MULTIARCH:%=/%),g' $< > $@ override_dh_auto_configure: dh_auto_configure -- --with-distro="$(shell dpkg-vendor --query vendor)" --with-dyn-default --without-ffmpeg # Takes care of postinst-has-useless-call-to-ldconfig for libsox-fmt-* override_dh_makeshlibs: dh_makeshlibs -Xfmt override_dh_auto_clean: dh_auto_clean rm -rf $(PREPROCESS_FILES:.in=) override_dh_auto_install: $(PREPROCESS_FILES:.in=) dh_auto_install # Force Ubuntu into installing upstream ChangeLog, it contains the # list of past contributors dh_installchangelogs ChangeLog %: dh $@ --with autoreconf debian/patches/0000755000000000000000000000000013424620275010622 5ustar debian/patches/CVE-2017-11332.patch0000644000000000000000000000132513424620275013317 0ustar From 7405bcaacb1ded8c595cb751d407cf738cb26571 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 5 Nov 2017 16:29:28 +0000 Subject: [PATCH] wav: fix crash if channel count is zero (CVE-2017-11332) --- src/wav.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/src/wav.c +++ b/src/wav.c @@ -613,6 +613,11 @@ static int startread(sox_format_t * ft) else lsx_report("User options overriding channels read in .wav header"); + if (ft->signal.channels == 0) { + lsx_fail_errno(ft, SOX_EHDR, "Channel count is zero"); + return SOX_EOF; + } + if (ft->signal.rate == 0 || ft->signal.rate == dwSamplesPerSecond) ft->signal.rate = dwSamplesPerSecond; else debian/patches/series0000644000000000000000000000041413424620275012036 0ustar 0001-Check-for-minimum-size-sphere-headers.patch 0002-More-checks-for-invalid-MS-ADPCM-blocks.patch CVE-2017-11332.patch CVE-2017-11358.patch CVE-2017-11359.patch CVE-2017-15370.patch CVE-2017-15371.patch CVE-2017-15372.patch CVE-2017-15642.patch CVE-2017-18189.patch debian/patches/CVE-2017-15372.patch0000644000000000000000000000656713424620275013344 0ustar From 3f7ed312614649e2695b54b398475d32be4f64f3 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 8 Nov 2017 00:29:14 +0000 Subject: adpcm: fix stack overflow with >4 channels (CVE-2017-15372) --- src/adpcm.c | 8 +++++++- src/adpcm.h | 3 +++ src/wav.c | 5 ++++- 3 files changed, 14 insertions(+), 2 deletions(-) --- a/src/adpcm.c +++ b/src/adpcm.c @@ -71,6 +71,11 @@ const short lsx_ms_adpcm_i_coef[7][2] = { 392,-232} }; +extern void *lsx_ms_adpcm_alloc(unsigned chans) +{ + return lsx_malloc(chans * sizeof(MsState_t)); +} + static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state, sox_sample_t sample1, sox_sample_t sample2) { @@ -102,6 +107,7 @@ static inline sox_sample_t AdpcmDecode(s /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ const char *lsx_ms_adpcm_block_expand_i( + void *priv, unsigned chans, /* total channels */ int nCoef, const short *coef, @@ -113,7 +119,7 @@ const char *lsx_ms_adpcm_block_expand_i( const unsigned char *ip; unsigned ch; const char *errmsg = NULL; - MsState_t state[4]; /* One decompressor state for each channel */ + MsState_t *state = priv; /* One decompressor state for each channel */ /* Read the four-byte header for each channel */ ip = ibuff; --- a/src/adpcm.h +++ b/src/adpcm.h @@ -29,8 +29,11 @@ /* default coef sets */ extern const short lsx_ms_adpcm_i_coef[7][2]; +extern void *lsx_ms_adpcm_alloc(unsigned chans); + /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ extern const char *lsx_ms_adpcm_block_expand_i( + void *priv, unsigned chans, /* total channels */ int nCoef, const short *coef, --- a/src/wav.c +++ b/src/wav.c @@ -82,6 +82,7 @@ typedef struct { /* following used by *ADPCM wav files */ unsigned short nCoefs; /* ADPCM: number of coef sets */ short *lsx_ms_adpcm_i_coefs; /* ADPCM: coef sets */ + void *ms_adpcm_data; /* Private data of adpcm decoder */ unsigned char *packet; /* Temporary buffer for packets */ short *samples; /* interleaved samples buffer */ short *samplePtr; /* Pointer to current sample */ @@ -173,7 +174,7 @@ static unsigned short AdpcmReadBlock(so } } - errmsg = lsx_ms_adpcm_block_expand_i(ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); + errmsg = lsx_ms_adpcm_block_expand_i(wav->ms_adpcm_data, ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); if (errmsg) lsx_warn("%s", errmsg); @@ -692,6 +693,7 @@ static int startread(sox_format_t * ft) /* nCoefs, lsx_ms_adpcm_i_coefs used by adpcm.c */ wav->lsx_ms_adpcm_i_coefs = lsx_malloc(wav->nCoefs * 2 * sizeof(short)); + wav->ms_adpcm_data = lsx_ms_adpcm_alloc(wChannels); { int i, errct=0; for (i=0; len>=2 && i < 2*wav->nCoefs; i++) { @@ -1112,6 +1114,7 @@ static int stopread(sox_format_t * ft) free(wav->packet); free(wav->samples); free(wav->lsx_ms_adpcm_i_coefs); + free(wav->ms_adpcm_data); free(wav->comment); wav->comment = NULL; debian/patches/CVE-2017-15371.patch0000644000000000000000000000227213424620275013330 0ustar From 818bdd0ccc1e5b6cae742c740c17fd414935cf39 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 5 Nov 2017 15:57:48 +0000 Subject: [PATCH] flac: fix crash on corrupt metadata (CVE-2017-15371) --- src/flac.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/src/flac.c +++ b/src/flac.c @@ -78,9 +78,10 @@ static void FLAC__decoder_metadata_callb p->total_samples = metadata->data.stream_info.total_samples; } else if (metadata->type == FLAC__METADATA_TYPE_VORBIS_COMMENT) { + const FLAC__StreamMetadata_VorbisComment *vc = &metadata->data.vorbis_comment; size_t i; - if (metadata->data.vorbis_comment.num_comments == 0) + if (vc->num_comments == 0) return; if (ft->oob.comments != NULL) { @@ -88,8 +89,9 @@ static void FLAC__decoder_metadata_callb return; } - for (i = 0; i < metadata->data.vorbis_comment.num_comments; ++i) - sox_append_comment(&ft->oob.comments, (char const *) metadata->data.vorbis_comment.comments[i].entry); + for (i = 0; i < vc->num_comments; ++i) + if (vc->comments[i].entry) + sox_append_comment(&ft->oob.comments, (char const *) vc->comments[i].entry); } } debian/patches/0001-Check-for-minimum-size-sphere-headers.patch0000644000000000000000000000067113424620275021344 0ustar --- a/src/sphere.c +++ b/src/sphere.c @@ -47,6 +47,11 @@ static int start_read(sox_format_t * ft) /* Determine header size, and allocate a buffer large enough to hold it. */ sscanf(fldsval, "%lu", &header_size_ul); + if (header_size_ul < 16) { + lsx_fail_errno(ft, SOX_EHDR, "Error reading Sphere header"); + return (SOX_EOF); + } + buf = lsx_malloc(header_size = header_size_ul); /* Skip what we have read so far */ debian/patches/CVE-2017-11359.patch0000644000000000000000000000146013424620275013330 0ustar From 8b590b3a52f4ccc4eea3f41b4a067c38b3565b60 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 5 Nov 2017 17:02:11 +0000 Subject: [PATCH] wav: fix crash writing header when channel count >64k (CVE-2017-11359) --- src/wav.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/src/wav.c +++ b/src/wav.c @@ -1275,6 +1275,12 @@ static int wavwritehdr(sox_format_t * ft long blocksWritten = 0; sox_bool isExtensible = sox_false; /* WAVE_FORMAT_EXTENSIBLE? */ + if (ft->signal.channels > UINT16_MAX) { + lsx_fail_errno(ft, SOX_EOF, "Too many channels (%u)", + ft->signal.channels); + return SOX_EOF; + } + dwSamplesPerSecond = ft->signal.rate; wChannels = ft->signal.channels; wBitsPerSample = ft->encoding.bits_per_sample; debian/patches/CVE-2017-15370.patch0000644000000000000000000000172313424620275013327 0ustar From ef3d8be0f80cbb650e4766b545d61e10d7a24c9e Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 5 Nov 2017 16:21:23 +0000 Subject: [PATCH] wav: ima_adpcm: fix buffer overflow on corrupt input (CVE-2017-15370) Add the same check bad block size as was done for MS adpcm in commit f39c574b ("More checks for invalid MS ADPCM blocks"). --- src/wav.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/src/wav.c +++ b/src/wav.c @@ -125,7 +125,7 @@ static unsigned short ImaAdpcmReadBlock /* work with partial blocks. Specs say it should be null */ /* padded but I guess this is better than trailing quiet. */ samplesThisBlock = lsx_ima_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t) 0); - if (samplesThisBlock == 0) + if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock) { lsx_warn("Premature EOF on .wav input file"); return 0; debian/patches/0002-More-checks-for-invalid-MS-ADPCM-blocks.patch0000644000000000000000000000107413424620275021206 0ustar --- a/src/wav.c +++ b/src/wav.c @@ -166,7 +166,7 @@ static unsigned short AdpcmReadBlock(sox_format_t * ft) /* work with partial blocks. Specs say it should be null */ /* padded but I guess this is better than trailing quiet. */ samplesThisBlock = lsx_ms_adpcm_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t)0); - if (samplesThisBlock == 0) + if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock) { lsx_warn("Premature EOF on .wav input file"); return 0; debian/patches/CVE-2017-18189.patch0000644000000000000000000000212513424620275013337 0ustar Description: A corrupt header specifying zero channels would send read_channels() into an infinite loop. Prevent this by sanity checking the channel count in open_read(). Also add an upper bound to prevent overflow in multiplication. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881121 Author: Mans Rullgard Jaromír Mikeš Forwarded: not-needed --- src/xa.c | 6 ++++++ 1 file changed, 6 insertions(+) Index: sox/src/xa.c =================================================================== --- sox.orig/src/xa.c +++ sox/src/xa.c @@ -143,6 +143,12 @@ static int startread(sox_format_t * ft) lsx_report("User options overriding rate read in .xa header"); } + if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) { + lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d", + ft->signal.channels); + return SOX_EOF; + } + /* Check for supported formats */ if (ft->encoding.bits_per_sample != 16) { lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.", debian/patches/CVE-2017-15642.patch0000644000000000000000000000152413424620275013330 0ustar Description: This fixes a use after free and double free if an empty comment chunk follows a non-empty one. Author: Mans Rullgard Forwarded: not-needed --- src/aiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: sox/src/aiff.c =================================================================== --- sox.orig/src/aiff.c +++ sox/src/aiff.c @@ -62,7 +62,6 @@ int lsx_aiffstartread(sox_format_t * ft) size_t ssndsize = 0; char *annotation; char *author; - char *comment = NULL; char *copyright; char *nametext; @@ -270,6 +269,7 @@ int lsx_aiffstartread(sox_format_t * ft) free(annotation); } else if (strncmp(buf, "COMT", (size_t)4) == 0) { + char *comment = NULL; rc = commentChunk(&comment, "Comment:", ft); if (rc) { /* Fail already called in function */ debian/patches/CVE-2017-11358.patch0000644000000000000000000000173313424620275013332 0ustar From 6cb44a44b9eda6b321ccdbf6483348d4a9798b00 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 5 Nov 2017 16:43:35 +0000 Subject: [PATCH] hcom: fix crash on input with corrupt dictionary (CVE-2017-11358) --- src/hcom.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/hcom.c b/src/hcom.c index c62b020c..1b0e09dd 100644 --- a/src/hcom.c +++ b/src/hcom.c @@ -150,6 +150,11 @@ static int startread(sox_format_t * ft) lsx_debug("%d %d", p->dictionary[i].dict_leftson, p->dictionary[i].dict_rightson); + if ((unsigned) p->dictionary[i].dict_leftson >= dictsize || + (unsigned) p->dictionary[i].dict_rightson >= dictsize) { + lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary"); + return SOX_EOF; + } } rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */ if (rc) debian/sox.install0000644000000000000000000000033412106333472011370 0ustar debian/tmp/usr/bin/play usr/bin/ debian/tmp/usr/bin/rec usr/bin/ debian/tmp/usr/bin/sox usr/bin/ debian/tmp/usr/bin/soxi usr/bin/ debian/tmp/usr/share/man/man1 usr/share/man/ debian/tmp/usr/share/man/man7 usr/share/man/ debian/libsox-fmt-pulse.dirs.in0000644000000000000000000000004112106333472013664 0ustar usr/lib/@DEB_HOST_MULTIARCH@/sox debian/control0000644000000000000000000001425512260420133010571 0ustar Source: sox Homepage: http://sox.sourceforge.net Section: sound Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Pascal Giard Build-Depends: dh-autoreconf, debhelper (>= 9), ladspa-sdk, libao-dev, libasound2-dev [linux-any], libavcodec-dev (>= 4:0.6.0), libavformat-dev, libavutil-dev, libgsm1-dev, libid3tag0-dev, libltdl3-dev, libmad0-dev, libmagic-dev, libmp3lame-dev, libopencore-amrnb-dev, libopencore-amrwb-dev, libpng-dev, libpulse-dev, libsamplerate0-dev, libsndfile1-dev (>= 1.0.12), libtwolame-dev, libvorbis-dev, libwavpack-dev Standards-Version: 3.9.3 Vcs-Git: git://sox.git.sourceforge.net/gitroot/sox/sox Vcs-Browser: http://sox.git.sourceforge.net/git/gitweb.cgi?p=sox/sox Package: sox Architecture: any Depends: libsox-fmt-alsa (= ${binary:Version}) [linux-any] | libsox-fmt-ao (= ${binary:Version}) | libsox-fmt-oss (= ${binary:Version}) | libsox-fmt-pulse (= ${binary:Version}), libsox-fmt-base (= ${binary:Version}), libsox2 (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} Suggests: libsox-fmt-all Description: Swiss army knife of sound processing SoX is a command line utility that can convert various formats of computer audio files in to other formats. It can also apply various effects to these sound files during the conversion. As an added bonus, SoX can play and record audio files on several unix-style platforms. . SoX is able to handle formats like Ogg Vorbis, MP3, WAV, AIFF, VOC, SND, AU, GSM and several more. Any format support requires at least libsox-fmt-base. Some formats have their own package e.g. mp3 read and write support is provided by libsox-fmt-mp3. . SoX supports most common sound architectures i.e. Alsa, Libao, OSS and Pulse (respectively provided by libsox-fmt-alsa, libsox-fmt-ao, libsox-fmt-oss and libsox-fmt-pulse). It also supports LADSPA plugins. Package: libsox2 Architecture: any Multi-Arch: same Section: libs Pre-Depends: ${misc:Pre-Depends} Depends: ${misc:Depends}, ${shlibs:Depends} Recommends: libsox-fmt-alsa [linux-any] | libsox-fmt-ao | libsox-fmt-oss | libsox-fmt-pulse, libsox-fmt-base Conflicts: libsox0, libsox0a, libsox1, libsox1a Replaces: libsox1b Suggests: libsox-fmt-all Description: SoX library of audio effects and processing SoX is the swiss army knife of sound processing. . This package contains the SoX library which enables to convert various formats of computer audio files in to other formats. It also allows you to apply various effects to sound files. . Any format support requires at least libsox-fmt-base. Sound card I/O requires libsox-fmt-alsa, libsox-fmt-ao, libsox-fmt-oss or libsox-fmt-pulse. Package: libsox-fmt-base Architecture: any Multi-Arch: same Section: libs Depends: ${misc:Depends}, ${shlibs:Depends} Replaces: libsox-fmt-flac, libsox-fmt-gsm, libsox-fmt-libsndfile, libsox-fmt-ogg, libsox-fmt-sndfile Description: Minimal set of SoX format libraries SoX is the swiss army knife of sound processing. . This package contains most audio formats libraries supported by SoX. Among them: Ogg Vorbis, WAV, AIFF, VOC, SND, AU, GSM, WavPack, LPC10, FLAC, MATLAB/GNU Octave, Portable Voice Format, AMR and Sound Forge Audio Format. Package: libsox-fmt-alsa Architecture: linux-any Multi-Arch: same Section: libs Depends: ${misc:Depends}, ${shlibs:Depends} Description: SoX alsa format I/O library SoX is the swiss army knife of sound processing. . This package contains the SoX alsa format I/O library. . alsa: http://www.alsa-project.org Package: libsox-fmt-ao Architecture: any Multi-Arch: same Section: libs Depends: ${misc:Depends}, ${shlibs:Depends} Description: SoX Libao format I/O library SoX is the swiss army knife of sound processing. . This package contains the SoX Libao format I/O library. . libao: http://xiph.org/ao Package: libsox-fmt-mp3 Architecture: any Multi-Arch: same Section: libs Depends: ${misc:Depends}, ${shlibs:Depends} Description: SoX MP2 and MP3 format library SoX is the swiss army knife of sound processing. . This package contains the SoX MP2 and MP3 format library. Read support by libmad. MP2 and MP3 write support by libtwolame and libmp3lame respectively. . libmad: http://www.underbit.com/products/mad/ lame: http://lame.sourceforge.net/ Package: libsox-fmt-oss Architecture: any Multi-Arch: same Section: libs Depends: ${misc:Depends}, ${shlibs:Depends} Description: SoX OSS format I/O library SoX is the swiss army knife of sound processing. . This package contains the SoX Open Sound System (OSS) format I/O library. . Open Sound System: http://www.opensound.com/oss.html Package: libsox-fmt-pulse Architecture: any Multi-Arch: same Section: libs Depends: ${misc:Depends}, ${shlibs:Depends} Description: SoX PulseAudio format I/O library SoX is the swiss army knife of sound processing. . This package contains the SoX PulseAudio format I/O library. . PulseAudio: http://www.pulseaudio.org/ Package: libsox-fmt-all Architecture: any Multi-Arch: same Section: libs Depends: libsox-fmt-alsa (= ${binary:Version}) [linux-any], libsox-fmt-ao (= ${binary:Version}), libsox-fmt-base (= ${binary:Version}), libsox-fmt-mp3 (= ${binary:Version}), libsox-fmt-oss (= ${binary:Version}), libsox-fmt-pulse (= ${binary:Version}), ${misc:Depends} Description: All SoX format libraries SoX is the swiss army knife of sound processing. . This is a metapackage depending on all free SoX format libraries. Package: libsox-dev Architecture: any Multi-Arch: same Section: libdevel Depends: libsox-fmt-all (= ${binary:Version}), libsox2 (= ${binary:Version}), ${misc:Depends} Description: Development files for the SoX library SoX is the swiss army knife of sound processing. . This package contains the development files for the SoX library. debian/libsox-fmt-ao.install.in0000644000000000000000000000014012106333472013640 0ustar debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_ao.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/source/0000755000000000000000000000000012106333472010467 5ustar debian/source/format0000644000000000000000000000001412106333472011675 0ustar 3.0 (quilt) debian/libsox-fmt-oss.dirs.in0000644000000000000000000000004112106333472013340 0ustar usr/lib/@DEB_HOST_MULTIARCH@/sox debian/libsox-fmt-base.install.in0000644000000000000000000000320612112035234014151 0ustar debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_amr_nb.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_amr_wb.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_flac.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_gsm.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_lpc10.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_sndfile.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_caf.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_fap.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_mat4.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_mat5.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_paf.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_pvf.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_sd2.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_w64.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_xi.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_vorbis.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_wavpack.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/libsox-dev.install.in0000644000000000000000000000064412106333472013244 0ustar debian/tmp/usr/include/* usr/include/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/lib*.a usr/lib/@DEB_HOST_MULTIARCH@/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/lib*.so usr/lib/@DEB_HOST_MULTIARCH@/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/pkgconfig/sox.pc usr/lib/@DEB_HOST_MULTIARCH@/pkgconfig/ debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/lib*.a usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/tmp/usr/share/man/man3 usr/share/man/ debian/sox.dirs0000644000000000000000000000002212106333472010655 0ustar usr/bin usr/share debian/README.Debian0000644000000000000000000000047612106333472011237 0ustar SoX from git ------------ If you downloaded SoX from git, you may build the package by: 1) Generating the autotools files: autoreconf -i 2) Configuring and making the release tarball: ./configure && make dist 3) Building the package: debuild -B -- Pascal Giard Tue, 08 May 2007 21:13:56 -0400 debian/libsox-fmt-oss.install.in0000644000000000000000000000014112106333472014046 0ustar debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_oss.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/copyright0000644000000000000000000000227612106333472011131 0ustar This is the Debian Linux prepackaged version of sox, a comprehensive sound conversion tool. This package was put together by Guenter Geiger with sources obtained from: http://home.sprynet.com/sprynet/cbagwell/projects.html The following copyright applied to this software: Copyright 1991 Lance Norskog And Sundry Contributors This source code is freely redistributable and may be used for any purpose. This copyright notice must be maintained. Lance Norskog And Sundry Contributors are not responsible for the consequences of using this software. Version 12.16 and above of sox is available from http://sox.sourceforge.net. sox.c, and thus SoX-the user application, is distributed under the GPL. The remaining files that make up libsox are licensed under the less restrictive license LGPL. On Debian systems, the complete text of the GNU General Public License can be found in the '/usr/share/common-licenses/GPL-2' file. The complete text of the GNU Lesser General Public License can be found in the '/usr/share/common-licenses/LGPL-2.1' file. The original copyright owner was Lance Norskog. Current upstream development is being made by Chris Bagwell and others. debian/libsox2.shlibs0000644000000000000000000000003512106333472011755 0ustar libsox 2 libsox2 (>= 14.4.0) debian/libsox-fmt-alsa.dirs.in0000644000000000000000000000004112106333472013454 0ustar usr/lib/@DEB_HOST_MULTIARCH@/sox debian/manpages0000644000000000000000000000002612106333472010703 0ustar build-tree/sox*/sox.1 debian/libsox-fmt-alsa.install.in0000644000000000000000000000014212106333472014163 0ustar debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_alsa.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/ debian/watch0000644000000000000000000000035712106333472010225 0ustar version=3 opts=uversionmangle=s/(\d)[_\.\-]?((RC|rc|pre|dev|beta|alpha|b|a)\d*)$/$1~$2/ \ http://qa.debian.org/watch/sf.php/sox/sox-(\d.*)\.(?:tgz|tbz2|tar\.(?:gz|bz2|xz)) # Bart Martens Sat, 01 Dec 2012 11:43:49 +0000 debian/mime0000644000000000000000000000022612106333472010041 0ustar audio/basic; /usr/bin/play -t au %s audio/x-aiff; /usr/bin/play -t aiff %s audio/x-gsm; /usr/bin/play -t gsm %s audio/x-wav; /usr/bin/play -t wav %s debian/libsox2.install.in0000644000000000000000000000011512106333472012543 0ustar debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/*.so.* usr/lib/@DEB_HOST_MULTIARCH@/ debian/libsox-fmt-mp3.dirs.in0000644000000000000000000000004112106333472013233 0ustar usr/lib/@DEB_HOST_MULTIARCH@/sox debian/libsox-fmt-base.dirs.in0000644000000000000000000000004112106333472013446 0ustar usr/lib/@DEB_HOST_MULTIARCH@/sox debian/docs0000644000000000000000000000004112133135561010034 0ustar README NEWS debian/README.source debian/libsox-fmt-pulse.install.in0000644000000000000000000000015012106333472014372 0ustar debian/tmp/usr/lib/@DEB_HOST_MULTIARCH@/sox/libsox_fmt_pulseaudio.so* usr/lib/@DEB_HOST_MULTIARCH@/sox/