sox_ng wiki - Distro-Debian
Of the tested versions of SoX, Debian’s is the one that defends best
against CVEs, though the strategy of importing sox.sf.net
’s patches
for them is less than 100% successful.
Legend
SUCC Exits zero when it should fail
ABRT Aborts
ASAN Works but the Address Sanitizer reports problems
ALOOP Loops forever when compiled with the Address Sanitizer.
If you give it more than a minute of CPU time, the address sanitizer kills it
saying it has tried to allocate more than `0xc0000000` bytes of VM so the 10x
ASAN slowdown is due to SoX beating `malloc()` to death.
1 Exits 1 without ASAN, "succeeds" with.
- We don't have a test for this bug
Results for Debian bookwork/trixie i386
| Patch | Issue | bookworm32 | trixie32 | bookworm64 | trixie64 |
| :—- | :—- | :—: | :—: | :—: | :—: |
| 0001-fix-build | #35 | - | - | - | - |
| 0002-spelling | #36 | - | - | - | - |
| 0003-CVE-2017–15371 | #11 | ASAN | ASAN | ASAN | ASAN |
| 0004-CVE-2017–11358 | #8 | OK | OK | OK | OK |
| 0005-CVE-2017–15370 | #16 | SUCC | SUCC | SUCC | SUCC |
| 0006-CVE-2017–11332 | #7 | OK | OK | OK | OK |
| 0007-CVE-2017–11359 | #9 | OK | OK | OK | OK |
| 0008-wavpack_check_errors | #37 | OK | OK | 1 | 1 |
| 0009-lintian-man-sox |#38 | - | - | - | - |
| 0010-xa-validate-channel-count =CVE-2017–18189 | #14 | OK | OK | OK | OK |
| 0011-CVE-2017–15372 | #12 | OK | OK | OK | OK |
| 0012-CVE-2017–15642 | #13 | OK | OK | OK | OK |
| 0013-Handle-vorbis_analysis_headerout-errors =CVE-2017–11333 | #39 | ASAN | ASAN | ASAN | ASAN |
| 0014-CVE-2019–8354 | #15 | ABRT | ABRT | ABRT | ABRT |
| 0015-CVE-2019–8355 | #17 | OK | OK | OK | OK |
| 0016-CVE-2019–8356 | #18 | SUCC
ALOOP | SUCC
ALOOP | SUCC
ALOOP | SUCC
ALOOP |
| 0017-CVE-2019–8357 | #19 | SEGV | SEGV | LOOP | LOOP |
| 0018-CVE-2019–13590 | #20 | OK | OK | OK | OK |
| 0019-fix-resource-leak-comments | #40 | - | - | - | - |
| 0020-fix-resource-leak-hcom | #41| - | - | - | - |
| 0021-fix-hcom-big-endian | #42 | - | - | - | - |
| 0022-CVE-2021–3643 | #22 | ASAN | ASAN | ASAN | ASAN |
| 0023-CVE-2021–23159 | #24 | OK | OK | OK | OK |
| 0024-CVE-2021–33844 | #26 | OK | OK | OK | OK |
| 0025-CVE-2021–40426 | #27 | OK | OK | OK | OK |
| 0026-CVE-2022–31650 | #28 | OK | OK | OK | OK |
| 0027-CVE-2022–31651 | #29 | OK | OK | OK | OK |
| 0028-CVE-2023–32627-Filter-null-sampling-rate-in-VOC-code | #31 | SUCC | SUCC | SUCC | SUCC |
For test results for other unaddressed CVEs and results for sox.sf.net
and sox_ng
see Testing.
If libopusfile-dev
is installed, dpkg-buildpackage
says
dh_missing: warning: usr/lib/i386-linux-gnu/sox/libsox_fmt_opus.so exists in debian/tmp but is not installed to anywhere
If libsndio-dev is installed, dpkg-buildpackage
says
dh_missing: warning: usr/lib/i386-linux-gnu/sox/libsox_fmt_sndio.so exists in debian/tmp but is not installed to anywhere
libsox-fmt-all
I would recommend, not suggest, libsox-fmt-all
so that most people get a
SoX that reads/writes most audio formats, which is one of its main purposes.
ffmpeg
If Debian switches to sox_ng
and configures --with-ffmpeg
then it would
also make sense to recommend ffmpeg
so that SoX automatically detects and
reads 48 more audio and video formats.