[Buildroot] [PATCH 00/22] CVE updates

[Buildroot] [PATCH 00/22] CVE updates

[Thomas Petazzoni via buildroot]

Hello,

Following the addition of stale ignore CVE entry detection in
pkg-stats (thanks to great work from Raphaël Mélotte), I looked at the
stale entries and handled all of them in this patch series.

While at it, I reported some issues to the NVD maintainers (e-mails
were Cc'ed to the mailing list). I also found a number of CVEs on sox
that were not fixed, so I fixed them (except CVE-2021-33844, for which
the fix doesn't apply to our version and it isn't clear if our version
is really vulnerable).

Please have a look and let me know what you think. Patches are
independent from each other, except of course the large stack of
patches on the sox package.

Thomas

Thomas Petazzoni (22):
  boot/grub2: drop stale IGNORE_CVES entries
  package/busybox: drop stale IGNORE_CVES entries
  package/dnsmasq: drop stale IGNORE_CVES entries
  package/dovecot: document why the ignore CVE entry is not stale
  package/exim: drop stale ignore CVE entry
  package/exim: update comment on CVE-2022-3559
  package/libopenh264: drop stale ignore CVE entry
  package/libssh: drop stale ignore CVE entry
  package/netsnmp: drop stale ignore CVE entries
  package/qt5/qt5base: drop stale ignore CVE entries, add CPE version
  package/ripgrep: drop stale ignore CVE entry
  package/sox: add SOX_CPE_ID_VERSION
  package/sox: annotate ignore CVE entries
  package/sox: add ignore CVE entry for CVE-2019-1010004
  package/sox: rework the 0001 patch to make it Git-applicable
  package/sox: add fix for CVE-2021-3643 CVE-2021-23210
  package/sox: add fix for CVE-2021-23159, CVE-2021-23172,
    CVE-2023-34318
  package/sox: add fix for CVE-2021-40426
  package/sox: add fix for CVE-2022-31650, CVE-2023-26590
  package/sox: add fix for CVE-2022-31651
  package/sox: add fix for CVE-2023-32627
  package/tinyxml: set TINYXML_CPE_ID_VERSION

 boot/grub2/grub2.mk                           |  8 --
 package/busybox/busybox.mk                    | 10 ---
 package/dnsmasq/dnsmasq.mk                    |  3 -
 package/dovecot/dovecot.mk                    |  4 +
 package/exim/exim.mk                          |  6 +-
 package/libopenh264/libopenh264.mk            |  3 -
 package/libssh/libssh.mk                      |  4 -
 package/netsnmp/netsnmp.mk                    |  4 -
 package/qt5/qt5base/qt5base.mk                | 11 +--
 package/ripgrep/ripgrep.mk                    |  3 -
 ...-SoX-support-uclibc-based-toolchains.patch |  9 +--
 ...hould-never-be-0-to-avoid-division-b.patch | 34 +++++++++
 package/sox/0007-hcom-validate-dictsize.patch | 38 ++++++++++
 .../0008-phere-avoid-integer-underflow.patch  | 42 +++++++++++
 ...ect-implausibly-large-number-of-chan.patch | 63 ++++++++++++++++
 ...0010-formats-reject-implausible-rate.patch | 39 ++++++++++
 ...ilter-null-sampling-rate-in-VOC-code.patch | 37 +++++++++
 package/sox/sox.mk                            | 75 ++++++++++++++++++-
 package/tinyxml/tinyxml.mk                    |  2 +-
 19 files changed, 337 insertions(+), 58 deletions(-)
 create mode 100644 package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch
 create mode 100644 package/sox/0007-hcom-validate-dictsize.patch
 create mode 100644 package/sox/0008-phere-avoid-integer-underflow.patch
 create mode 100644 package/sox/0009-formats-aiff-reject-implausibly-large-number-of-chan.patch
 create mode 100644 package/sox/0010-formats-reject-implausible-rate.patch
 create mode 100644 package/sox/0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch

-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 01/22] boot/grub2: drop stale IGNORE_CVES entries

[Thomas Petazzoni via buildroot]

CVE-2020-15705 is only applicable to grub versions up to 2.04, and
we're using a more recent version, so it is no longer needed to ignore
it.

CVE-2021-46705 is only applicable to grub versions up to 2.06, and
we're using a more recent version, so it is no longer needed to ignore
it.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 boot/grub2/grub2.mk | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/boot/grub2/grub2.mk b/boot/grub2/grub2.mk
index 0896029322..22d609c004 100644
--- a/boot/grub2/grub2.mk
+++ b/boot/grub2/grub2.mk
@@ -19,14 +19,6 @@ GRUB2_INSTALL_IMAGES = YES
 # doesn't exist upstream, but is added by the Redhat/Fedora
 # packaging. Not applicable to Buildroot.
 GRUB2_IGNORE_CVES += CVE-2019-14865
-# CVE-2020-15705 is related to a flaw in the use of the
-# grub_linuxefi_secure_validate(), which was added by Debian/Ubuntu
-# patches. The issue doesn't affect upstream Grub, and
-# grub_linuxefi_secure_validate() is not implemented in the grub2
-# version available in Buildroot.
-GRUB2_IGNORE_CVES += CVE-2020-15705
-# vulnerability is specific to the SUSE distribution
-GRUB2_IGNORE_CVES += CVE-2021-46705
 # vulnerability is specific to the Redhat distribution, affects a
 # downstream change from Redhat related to password authentication
 GRUB2_IGNORE_CVES += CVE-2023-4001
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 01/22] boot/grub2: drop stale IGNORE_CVES entries

[Julien Olivain]

On 18/05/2025 10:56, Thomas Petazzoni via buildroot wrote:
> CVE-2020-15705 is only applicable to grub versions up to 2.04, and
> we're using a more recent version, so it is no longer needed to ignore
> it.
> 
> CVE-2021-46705 is only applicable to grub versions up to 2.06, and
> we're using a more recent version, so it is no longer needed to ignore
> it.
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Series applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 02/22] package/busybox: drop stale IGNORE_CVES entries

[Thomas Petazzoni via buildroot]

All of CVE-2023-42363, CVE-2023-42364, CVE-2023-42365, CVE-2023-42366
were fixed by patches that we no longer have since we bumped
Busybox. Those IGNORE_CVES entries are therefore no longer needed.

The CVE-2022-28391 ignore CVE entry is also reported as stale, but we
believe the NVD database is incorrect in saying this vulnerability
only affects Busybox up to 1.35.0. Indeed, Busybox 1.37.0 still
doesn't have the fixes and is therefore still affected.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/busybox/busybox.mk | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index d3074d2218..532932ec8f 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -15,16 +15,6 @@ BUSYBOX_CPE_ID_VENDOR = busybox
 # 0004-nslookup-sanitize-all-printed-strings-with-printable.patch
 BUSYBOX_IGNORE_CVES += CVE-2022-28391
 
-# 0012-awk-fix-use-after-free-CVE-2023-42363.patch
-BUSYBOX_IGNORE_CVES += CVE-2023-42363
-
-# 0013-awk-fix-precedence-of-relative-to.patch
-# 0014-awk-fix-ternary-operator-and-precedence-of.patch
-BUSYBOX_IGNORE_CVES += CVE-2023-42364 CVE-2023-42365
-
-# 0015-awk.c-fix-CVE-2023-42366-bug-15874.patch
-BUSYBOX_IGNORE_CVES += CVE-2023-42366
-
 BUSYBOX_CFLAGS = \
 	$(TARGET_CFLAGS)
 
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 03/22] package/dnsmasq: drop stale IGNORE_CVES entries

[Thomas Petazzoni via buildroot]

The 0001-set-default-maximum-dns-udp-package-size.patch is no longer
in Buildroot since the bump to 2.90 in commit
213cfb34358d86a65deecdb9f5b11a20ad0895d1, which renders the
CVE-2023-28450 ignore CVE entry no longer needed.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/dnsmasq/dnsmasq.mk | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/package/dnsmasq/dnsmasq.mk b/package/dnsmasq/dnsmasq.mk
index abeee36ce4..dec7c9a86d 100644
--- a/package/dnsmasq/dnsmasq.mk
+++ b/package/dnsmasq/dnsmasq.mk
@@ -17,9 +17,6 @@ DNSMASQ_LICENSE_FILES = COPYING COPYING-v3
 DNSMASQ_CPE_ID_VENDOR = thekelleys
 DNSMASQ_SELINUX_MODULES = dnsmasq
 
-# 0001-set-default-maximum-dns-udp-package-size.patch
-DNSMASQ_IGNORE_CVES += CVE-2023-28450
-
 DNSMASQ_I18N = $(if $(BR2_SYSTEM_ENABLE_NLS),-i18n)
 
 ifneq ($(BR2_PACKAGE_DNSMASQ_DHCP),y)
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 04/22] package/dovecot: document why the ignore CVE entry is not stale

[Thomas Petazzoni via buildroot]

The new pkg-stats feature of stale ignore CVE entry detection reports
CVE-2022-30550 as stale, but it's not correct: the NVD database is
incorrect, and this has been reported in
https://lore.kernel.org/buildroot/20250517181815.02ce0393@windsurf/.

Let's annotate this information in dovecot.mk so that we don't wonder
why it's reported stale.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/dovecot/dovecot.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/dovecot/dovecot.mk b/package/dovecot/dovecot.mk
index e116bd3b78..a48cd7536d 100644
--- a/package/dovecot/dovecot.mk
+++ b/package/dovecot/dovecot.mk
@@ -22,6 +22,10 @@ DOVECOT_DEPENDENCIES = \
 DOVECOT_IGNORE_CVES += CVE-2016-4983
 
 # 0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch
+
+# Note: this ignore CVE entry is reported as stale by pkg-stats, but
+# the NVD database is incorrect:
+# https://lore.kernel.org/buildroot/20250517181815.02ce0393@windsurf/
 DOVECOT_IGNORE_CVES += CVE-2022-30550
 
 DOVECOT_CONF_ENV = \
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 05/22] package/exim: drop stale ignore CVE entry

[Thomas Petazzoni via buildroot]

The CVE-2022-3620 entry is not reported as affecting our exim package
by pkg-stats. Currently it's because the NVD entry is
incorrect (incorrect exim version), but we sent a bug report [1] to
the NVD database so that it gets updated. Once updated, pkg-stats
still won't report the CVE as affecting us because the issue has been
fixed in exim 4.97, and we're using a newer version.

[1] https://lore.kernel.org/buildroot/20250517183000.40b28b4d@windsurf/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/exim/exim.mk | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/package/exim/exim.mk b/package/exim/exim.mk
index 9ecae0d038..bee3a79808 100644
--- a/package/exim/exim.mk
+++ b/package/exim/exim.mk
@@ -16,9 +16,6 @@ EXIM_DEPENDENCIES = host-berkeleydb host-pcre2 pcre2 berkeleydb host-pkgconf
 # 0006-Fix-regex-n-use-after-free.-Bug-2915.patch
 EXIM_IGNORE_CVES += CVE-2022-3559
 
-# built without dmarc support
-EXIM_IGNORE_CVES += CVE-2022-3620
-
 # Modify a variable value. It must already exist in the file, either
 # commented or not.
 define exim-config-change # variable-name, variable-value
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 05/22] package/exim: drop stale ignore CVE entry

[Luca Ceresoli via buildroot]

On Sun, 18 May 2025 10:56:58 +0200
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> The CVE-2022-3620 entry is not reported as affecting our exim package
> by pkg-stats. Currently it's because the NVD entry is
> incorrect (incorrect exim version), but we sent a bug report [1] to
> the NVD database so that it gets updated. Once updated, pkg-stats
> still won't report the CVE as affecting us because the issue has been
> fixed in exim 4.97, and we're using a newer version.
> 
> [1] https://lore.kernel.org/buildroot/20250517183000.40b28b4d@windsurf/
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>

-- 
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 06/22] package/exim: update comment on CVE-2022-3559

[Thomas Petazzoni via buildroot]

We no longer have the patch fixing CVE-2022-3559 because we've updated
to a version of exim that includes it. However, the ignore CVE entry
is not stale because the NVD database is incorrect on this CVE. We
reported the issue to upstream NVD at:

  https://lore.kernel.org/buildroot/20250517183423.07951665@windsurf/

Let's document this above the ignore CVE entry.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/exim/exim.mk | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package/exim/exim.mk b/package/exim/exim.mk
index bee3a79808..6fa16e69a2 100644
--- a/package/exim/exim.mk
+++ b/package/exim/exim.mk
@@ -13,7 +13,8 @@ EXIM_CPE_ID_VENDOR = exim
 EXIM_SELINUX_MODULES = exim mta
 EXIM_DEPENDENCIES = host-berkeleydb host-pcre2 pcre2 berkeleydb host-pkgconf
 
-# 0006-Fix-regex-n-use-after-free.-Bug-2915.patch
+# Incorrect NVD database, reported at
+# https://lore.kernel.org/buildroot/20250517183423.07951665@windsurf/
 EXIM_IGNORE_CVES += CVE-2022-3559
 
 # Modify a variable value. It must already exist in the file, either
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 06/22] package/exim: update comment on CVE-2022-3559

[Luca Ceresoli via buildroot]

On Sun, 18 May 2025 10:56:59 +0200
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> We no longer have the patch fixing CVE-2022-3559 because we've updated
> to a version of exim that includes it. However, the ignore CVE entry
> is not stale because the NVD database is incorrect on this CVE. We
> reported the issue to upstream NVD at:
> 
>   https://lore.kernel.org/buildroot/20250517183423.07951665@windsurf/
> 
> Let's document this above the ignore CVE entry.
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>

-- 
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 07/22] package/libopenh264: drop stale ignore CVE entry

[Thomas Petazzoni via buildroot]

The NVD entry for CVE-2025-27091 was not correct, but thanks to having
been reported by Raphaël Mélotte, the issue has been fixed on May 6,
2025:

  https://nvd.nist.gov/vuln/detail/CVE-2025-27091#VulnChangeHistorySection

The ignore CVE entry is therefore stale and can be dropped.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/libopenh264/libopenh264.mk | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/package/libopenh264/libopenh264.mk b/package/libopenh264/libopenh264.mk
index 9ae996fee1..f9a50e4c61 100644
--- a/package/libopenh264/libopenh264.mk
+++ b/package/libopenh264/libopenh264.mk
@@ -12,9 +12,6 @@ LIBOPENH264_CPE_ID_VENDOR = cisco
 LIBOPENH264_CPE_ID_PRODUCT = openh264
 LIBOPENH264_INSTALL_STAGING = YES
 
-# The following CVE is fixed in 2.5.1, the NVD CPE is not up to date
-LIBOPENH264_IGNORE_CVES += CVE-2025-27091
-
 ifeq ($(BR2_aarch64),y)
 LIBOPENH264_ARCH = aarch64
 else ifeq ($(BR2_arm)$(BR2_armeb),y)
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 08/22] package/libssh: drop stale ignore CVE entry

[Thomas Petazzoni via buildroot]

CVE-2023-3603 has never affected any release, but NVD decided to
document it as affecting all versions up to 0.8.9. While this is
incorrect, we don't really care much, as we're now using 0.11 which
according to NVD is not affected, making our ignore CVE entry stale.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/libssh/libssh.mk | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/package/libssh/libssh.mk b/package/libssh/libssh.mk
index 6f8a1ac389..a00e6a9445 100644
--- a/package/libssh/libssh.mk
+++ b/package/libssh/libssh.mk
@@ -17,10 +17,6 @@ LIBSSH_CONF_OPTS = \
 	-DWITH_STACK_PROTECTOR=OFF \
 	-DWITH_EXAMPLES=OFF
 
-# Not part of any release
-# https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/
-LIBSSH_IGNORE_CVES += CVE-2023-3603
-
 ifeq ($(BR2_ARM_INSTRUCTIONS_THUMB),y)
 LIBSSH_CONF_OPTS += -DWITH_STACK_CLASH_PROTECTION=OFF
 endif
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 09/22] package/netsnmp: drop stale ignore CVE entries

[Thomas Petazzoni via buildroot]

The 0001-snmp_agent-disallow-SET-with-NULL-varbind.patch patch has
been dropped as part of the bump from 5.9.3 to 5.9.4 in commit
1799cfebfd5ea1312cce74b3807d4aad044bce67, which means 5.9.4 has the
security fix, and therefore the ignore CVE entry is no longer needed.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/netsnmp/netsnmp.mk | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/package/netsnmp/netsnmp.mk b/package/netsnmp/netsnmp.mk
index 499e1d9477..a79c13c611 100644
--- a/package/netsnmp/netsnmp.mk
+++ b/package/netsnmp/netsnmp.mk
@@ -11,10 +11,6 @@ NETSNMP_LICENSE = Various BSD-like
 NETSNMP_LICENSE_FILES = COPYING
 NETSNMP_CPE_ID_VENDOR = net-snmp
 NETSNMP_CPE_ID_PRODUCT = $(NETSNMP_CPE_ID_VENDOR)
-# 0001-snmp_agent-disallow-SET-with-NULL-varbind.patch
-NETSNMP_IGNORE_CVES = \
-	CVE-2022-44792 \
-	CVE-2022-44793
 NETSNMP_SELINUX_MODULES = snmp
 NETSNMP_INSTALL_STAGING = YES
 NETSNMP_CONF_ENV = \
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 10/22] package/qt5/qt5base: drop stale ignore CVE entries, add CPE version

[Thomas Petazzoni via buildroot]

The qt5base was reported to have 2 stale ignore CVE entries, one not
stale. Turns out that because the version is a Git commit hash, the
version comparaison did not make a lot of sense.

This commit adds QT5BASE_CPE_ID_VERSION, assigned to the closest
upstream version that we package (the Git repo we fetch is 5.15.14
plus a number of fixes). With this done, all 3 ignore CVE entries are
stale because the vulnerabilities have been fixed prior to 5.15.14.

In addition, setting QT5BASE_CPE_ID_VERSION allows to reduce the
number of CVEs affecting qt5base from 20 to 8.

Cc: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Cc: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Cc: Christian Hitz <christian.hitz@bbv.ch>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/qt5/qt5base/qt5base.mk | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/package/qt5/qt5base/qt5base.mk b/package/qt5/qt5base/qt5base.mk
index add460c257..3ad2bdfc04 100644
--- a/package/qt5/qt5base/qt5base.mk
+++ b/package/qt5/qt5base/qt5base.mk
@@ -9,20 +9,13 @@ QT5BASE_SITE = $(QT5_SITE)/qtbase
 QT5BASE_SITE_METHOD = git
 QT5BASE_CPE_ID_VENDOR = qt
 QT5BASE_CPE_ID_PRODUCT = qt
+# Closest upstream version
+QT5BASE_CPE_ID_VERSION = 5.15.14
 
 QT5BASE_DEPENDENCIES = host-pkgconf pcre2 zlib
 QT5BASE_INSTALL_STAGING = YES
 QT5BASE_SYNC_QT_HEADERS = YES
 
-# From commits:
-# 4ce7053a59 "Avoid processing-intensive painting of high number of tiny dashes"
-# e7ea2ed27c "Improve fix for avoiding huge number of tiny dashes"
-QT5BASE_IGNORE_CVES += CVE-2021-38593
-# From commit 2766b2cba6ca4b1c430304df5437e2a6c874b107 "QProcess/Unix: ensure we don't accidentally execute something from CWD"
-QT5BASE_IGNORE_CVES += CVE-2022-25255
-# From commit e68ca8e51375d963b2391715f70b42707992dbd8 "Windows: use QSystemLibrary instead of LoadLibrary directly"
-QT5BASE_IGNORE_CVES += CVE-2022-25634
-
 # A few comments:
 #  * -no-pch to workaround the issue described at
 #     http://comments.gmane.org/gmane.comp.lib.qt.devel/5933.
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 11/22] package/ripgrep: drop stale ignore CVE entry

[Thomas Petazzoni via buildroot]

The ignore CVE entry was added because the vulnerability only affects
Windows. But it also only affected ripgrep versions < 13, and we're
using ripgrep 14.x now, so the CVE is anyway no longer relevant, and
the ignore CVE entry can be dropped.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/ripgrep/ripgrep.mk | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/package/ripgrep/ripgrep.mk b/package/ripgrep/ripgrep.mk
index fd5b3b882e..f340452169 100644
--- a/package/ripgrep/ripgrep.mk
+++ b/package/ripgrep/ripgrep.mk
@@ -10,7 +10,4 @@ RIPGREP_LICENSE = MIT
 RIPGREP_LICENSE_FILES = LICENSE-MIT
 RIPGREP_CPE_ID_VALID = YES
 
-# CVE only impacts ripgrep on Windows
-RIPGREP_IGNORE_CVES += CVE-2021-3013
-
 $(eval $(cargo-package))
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 12/22] package/sox: add SOX_CPE_ID_VERSION

[Thomas Petazzoni via buildroot]

All ignore CVE entries of the sox package are considered stale because
SOX_VERSION is a Git commit and therefore the version matching logic
doesn't do the right thing.

This commit sets SOX_CPE_ID_VERSION to 14.4.2, which is the closest
upstream version on which we are based: our Git commit is 14.4.2 plus
a number of commits that fix a large number of CVEs.

Thanks to this change, the ignore CVE entries are no longer stale.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/sox/sox.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/sox/sox.mk b/package/sox/sox.mk
index d0329bf50d..42e47a916c 100644
--- a/package/sox/sox.mk
+++ b/package/sox/sox.mk
@@ -12,6 +12,8 @@ SOX_LICENSE = GPL-2.0+ (sox binary), LGPL-2.1+ (libraries)
 SOX_LICENSE_FILES = LICENSE.GPL LICENSE.LGPL
 SOX_CPE_ID_VENDOR = sound_exchange_project
 SOX_CPE_ID_PRODUCT = sound_exchange
+# The Git commit in SOX_VERSION is 14.4.2 + a large number of commits
+SOX_CPE_ID_VERSION = 14.4.2
 # From git and we're patching configure.ac
 SOX_AUTORECONF = YES
 SOX_AUTORECONF_OPTS = --include=$(HOST_DIR)/share/autoconf-archive
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 13/22] package/sox: annotate ignore CVE entries

[Thomas Petazzoni via buildroot]

Commit b6871f9d93055ec94d6fb88779d44b3235b29ce9 ("package/sox:
security bump to latest git commit") forgot to annotate the ignore CVE
entries, so let's do this.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/sox/sox.mk | 42 ++++++++++++++++++++++++++++++++++++++----
 1 file changed, 38 insertions(+), 4 deletions(-)

diff --git a/package/sox/sox.mk b/package/sox/sox.mk
index 42e47a916c..8922f98d5c 100644
--- a/package/sox/sox.mk
+++ b/package/sox/sox.mk
@@ -19,10 +19,44 @@ SOX_AUTORECONF = YES
 SOX_AUTORECONF_OPTS = --include=$(HOST_DIR)/share/autoconf-archive
 SOX_INSTALL_STAGING = YES
 
-SOX_IGNORE_CVES += CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 \
-	CVE-2017-15370 CVE-2017-15371 CVE-2017-15372 CVE-2017-15642 \
-	CVE-2017-18189 CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 \
-	CVE-2019-8357 CVE-2019-13590
+# sox-14.4.2-6-g6e177c45
+SOX_IGNORE_CVES += CVE-2017-11332
+
+# sox-14.4.2-7-ge410d00c
+SOX_IGNORE_CVES += CVE-2017-11358
+
+# sox-14.4.2-8-g7b3f30e1
+SOX_IGNORE_CVES += CVE-2017-11359
+
+# sox-14.4.2-9-ge076a7ad
+SOX_IGNORE_CVES += CVE-2017-15370
+
+# sox-14.4.2-10-g968c689a
+SOX_IGNORE_CVES += CVE-2017-15371
+
+# sox-14.4.2-11-g515b9861
+SOX_IGNORE_CVES += CVE-2017-15372
+
+# sox-14.4.2-12-gf56c0dbc
+SOX_IGNORE_CVES += CVE-2017-15642
+
+# sox-14.4.2-13-g09d7388c
+SOX_IGNORE_CVES += CVE-2017-18189
+
+# sox-14.4.2-38-gf7091126
+SOX_IGNORE_CVES += CVE-2019-8354
+
+# sox-14.4.2-39-gf8587e2d
+SOX_IGNORE_CVES += CVE-2019-8355
+
+# sox-14.4.2-40-gb7883ae1
+SOX_IGNORE_CVES += CVE-2019-8356
+
+# sox-14.4.2-41-g2ce02fea
+SOX_IGNORE_CVES += CVE-2019-8357
+
+# sox-14.4.2-44-g7b6a8892
+SOX_IGNORE_CVES += CVE-2019-13590
 
 SOX_CONF_OPTS = \
 	--with-distro="Buildroot" \
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 14/22] package/sox: add ignore CVE entry for CVE-2019-1010004

[Thomas Petazzoni via buildroot]

This CVE is a duplicate of CVE-2017-18189, according to
https://security-tracker.debian.org/tracker/CVE-2019-1010004, and
https://security-tracker.debian.org/tracker/CVE-2019-1010004 also
points to the commit that also fixed CVE-2017-18189.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/sox/sox.mk | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package/sox/sox.mk b/package/sox/sox.mk
index 8922f98d5c..d8a0d7d1df 100644
--- a/package/sox/sox.mk
+++ b/package/sox/sox.mk
@@ -41,7 +41,8 @@ SOX_IGNORE_CVES += CVE-2017-15372
 SOX_IGNORE_CVES += CVE-2017-15642
 
 # sox-14.4.2-13-g09d7388c
-SOX_IGNORE_CVES += CVE-2017-18189
+# CVE-2019-1010004 is a duplicate of CVE-2017-18189
+SOX_IGNORE_CVES += CVE-2017-18189 CVE-2019-1010004
 
 # sox-14.4.2-38-gf7091126
 SOX_IGNORE_CVES += CVE-2019-8354
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 15/22] package/sox: rework the 0001 patch to make it Git-applicable

[Thomas Petazzoni via buildroot]

Due to the "From:" in the commit log itself, this patch was not
applicable using git am:

$ git am 0001-Make-SoX-support-uclibc-based-toolchains.patch
Applying: Make SoX support uclibc-based toolchains
fatal: empty ident name (for <>) not allowed

Thanks to Arnout who found the issue.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 .../0001-Make-SoX-support-uclibc-based-toolchains.patch  | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/package/sox/0001-Make-SoX-support-uclibc-based-toolchains.patch b/package/sox/0001-Make-SoX-support-uclibc-based-toolchains.patch
index 3d21b570f1..9d004321f7 100644
--- a/package/sox/0001-Make-SoX-support-uclibc-based-toolchains.patch
+++ b/package/sox/0001-Make-SoX-support-uclibc-based-toolchains.patch
@@ -1,10 +1,9 @@
-From 5d51acafe9c38fb05939b4d2d6a9dcde12476458 Mon Sep 17 00:00:00 2001
+From a1c913c52f70ee7c70e1e5ae1473ee407cd1494c Mon Sep 17 00:00:00 2001
 From: Gustavo Zacarias <gustavo@zacarias.com.ar>
-Date: Sat, 29 Jun 2024 12:28:54 +0200
+Date: Sat, 17 May 2025 22:12:23 +0200
 Subject: [PATCH] Make SoX support uclibc-based toolchains
 
-From:
-http://sourceforge.net/p/sox/bugs/179/
+From http://sourceforge.net/p/sox/bugs/179/
 
 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
 [Julien: rebased patch on package git version 7524160,
@@ -36,5 +35,5 @@ index 3fcf4382..9fc001bd 100644
    (void)fp;
  #endif
 -- 
-2.45.2
+2.49.0
 
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 16/22] package/sox: add fix for CVE-2021-3643 CVE-2021-23210

[Thomas Petazzoni via buildroot]

This fix is included in Debian's sox package. The CVE is not reported
by pkg-stats because the NVD database has associated it to the
sox_project:sox vendor/product CPE. This has been reported to NVD:

  https://lore.kernel.org/buildroot/20250517220322.4da9bdb3@windsurf/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 ...hould-never-be-0-to-avoid-division-b.patch | 34 +++++++++++++++++++
 package/sox/sox.mk                            |  5 +++
 2 files changed, 39 insertions(+)
 create mode 100644 package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch

diff --git a/package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch b/package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch
new file mode 100644
index 0000000000..94298b7ae5
--- /dev/null
+++ b/package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch
@@ -0,0 +1,34 @@
+From ad8ecfbdd9ff184b60600a115247a6aa947d0215 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sat, 17 May 2025 22:10:00 +0200
+Subject: [PATCH] voc: word width should never be 0 to avoid division by zero
+
+Bug: https://sourceforge.net/p/sox/bugs/351/
+Bug-Debian: https://bugs.debian.org/1010374
+
+This patch fixes both CVE-2021-3643 and CVE-2021-23210.
+
+Upstream: https://sourceforge.net/p/sox/bugs/351/
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ src/voc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/voc.c b/src/voc.c
+index a75639e9..0ca07f94 100644
+--- a/src/voc.c
++++ b/src/voc.c
+@@ -625,6 +625,10 @@ static int getblock(sox_format_t * ft)
+         v->rate = new_rate_32;
+         ft->signal.rate = new_rate_32;
+         lsx_readb(ft, &uc);
++        if (uc <= 1) {
++          lsx_fail_errno(ft, SOX_EFMT, "2 bits per word required");
++          return (SOX_EOF);
++        }
+         v->size = uc;
+         lsx_readb(ft, &uc);
+         if (v->channels != -1 && uc != v->channels) {
+-- 
+2.49.0
+
diff --git a/package/sox/sox.mk b/package/sox/sox.mk
index d8a0d7d1df..eba166f68b 100644
--- a/package/sox/sox.mk
+++ b/package/sox/sox.mk
@@ -59,6 +59,11 @@ SOX_IGNORE_CVES += CVE-2019-8357
 # sox-14.4.2-44-g7b6a8892
 SOX_IGNORE_CVES += CVE-2019-13590
 
+# 0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch
+# This entry is NOT stale, those CVEs are not reported by pkg-stats
+# due to the change of CPE ID to sox_project:sox in the NVD database
+SOX_IGNORE_CVES += CVE-2021-3643 CVE-2021-23210
+
 SOX_CONF_OPTS = \
 	--with-distro="Buildroot" \
 	--disable-stack-protector
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 17/22] package/sox: add fix for CVE-2021-23159, CVE-2021-23172, CVE-2023-34318

[Thomas Petazzoni via buildroot]

This fix is integrated in Debian. The CVEs are not reported by pkg-stats
because the NVD database has associated it to the sox_project:sox
vendor/product CPE. This has been reported to NVD:

  https://lore.kernel.org/buildroot/20250517220322.4da9bdb3@windsurf/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/sox/0007-hcom-validate-dictsize.patch | 38 +++++++++++++++++++
 package/sox/sox.mk                            |  5 +++
 2 files changed, 43 insertions(+)
 create mode 100644 package/sox/0007-hcom-validate-dictsize.patch

diff --git a/package/sox/0007-hcom-validate-dictsize.patch b/package/sox/0007-hcom-validate-dictsize.patch
new file mode 100644
index 0000000000..722b64675b
--- /dev/null
+++ b/package/sox/0007-hcom-validate-dictsize.patch
@@ -0,0 +1,38 @@
+From 54455f59305d9ce94cc73100bc2dd542865fed4b Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sat, 17 May 2025 22:33:16 +0200
+Subject: [PATCH] hcom: validate dictsize
+
+Bug: https://sourceforge.net/p/sox/bugs/350/
+Bug: https://sourceforge.net/p/sox/bugs/352/
+Bug-Debian: https://bugs.debian.org/1021133
+Bug-Debian: https://bugs.debian.org/1021134
+
+This patch fixes both CVE-2021-23159 and CVE-2021-23172.
+
+Upstream: https://sourceforge.net/p/sox/bugs/350/
+Upstream: https://sourceforge.net/p/sox/bugs/352/
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ src/hcom.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/hcom.c b/src/hcom.c
+index 594c8706..9e8b03c6 100644
+--- a/src/hcom.c
++++ b/src/hcom.c
+@@ -141,6 +141,11 @@ static int startread(sox_format_t * ft)
+                 return (SOX_EOF);
+         }
+         lsx_readw(ft, &dictsize);
++        if (dictsize == 0 || dictsize > 511)
++        {
++                lsx_fail_errno(ft, SOX_EHDR, "Implausible dictionary size in HCOM header");
++                return SOX_EOF;
++        }
+ 
+         /* Translate to sox parameters */
+         ft->encoding.encoding = SOX_ENCODING_HCOM;
+-- 
+2.49.0
+
diff --git a/package/sox/sox.mk b/package/sox/sox.mk
index eba166f68b..6ce9ed3508 100644
--- a/package/sox/sox.mk
+++ b/package/sox/sox.mk
@@ -64,6 +64,11 @@ SOX_IGNORE_CVES += CVE-2019-13590
 # due to the change of CPE ID to sox_project:sox in the NVD database
 SOX_IGNORE_CVES += CVE-2021-3643 CVE-2021-23210
 
+# 0007-hcom-validate-dictsize.patch
+# This entry is NOT stale, those CVEs are not reported by pkg-stats
+# due to the change of CPE ID to sox_project:sox in the NVD database
+SOX_IGNORE_CVES += CVE-2021-23159 CVE-2021-23172 CVE-2023-34318
+
 SOX_CONF_OPTS = \
 	--with-distro="Buildroot" \
 	--disable-stack-protector
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 18/22] package/sox: add fix for CVE-2021-40426

[Thomas Petazzoni via buildroot]

The patch comes from Debian. The CVEs are not reported by pkg-stats
because the NVD database has associated it to the
libsox_project:libsox vendor/product CPE. This has been reported to
NVD:

  https://lore.kernel.org/buildroot/20250517220322.4da9bdb3@windsurf/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 .../0008-phere-avoid-integer-underflow.patch  | 42 +++++++++++++++++++
 package/sox/sox.mk                            |  5 +++
 2 files changed, 47 insertions(+)
 create mode 100644 package/sox/0008-phere-avoid-integer-underflow.patch

diff --git a/package/sox/0008-phere-avoid-integer-underflow.patch b/package/sox/0008-phere-avoid-integer-underflow.patch
new file mode 100644
index 0000000000..7c59896660
--- /dev/null
+++ b/package/sox/0008-phere-avoid-integer-underflow.patch
@@ -0,0 +1,42 @@
+From c49c81a3c4409e7c1979ec8cb341fb0c57220616 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sat, 17 May 2025 22:48:05 +0200
+Subject: [PATCH] phere: avoid integer underflow
+
+Link: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1434
+Bug: https://sourceforge.net/p/sox/bugs/362/
+Bug-Debian: https://bugs.debian.org/1012138
+
+Upstream: https://sourceforge.net/p/sox/bugs/362/
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ src/sphere.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/sphere.c b/src/sphere.c
+index a3fd1c64..9544d160 100644
+--- a/src/sphere.c
++++ b/src/sphere.c
+@@ -63,7 +63,8 @@ static int start_read(sox_format_t * ft)
+     return (SOX_EOF);
+   }
+ 
+-  header_size -= (strlen(buf) + 1);
++  bytes_read = strlen(buf);
++  header_size -= bytes_read >= header_size ? header_size : bytes_read + 1;
+ 
+   while (strncmp(buf, "end_head", (size_t)8) != 0) {
+     if (strncmp(buf, "sample_n_bytes", (size_t)14) == 0)
+@@ -105,7 +106,8 @@ static int start_read(sox_format_t * ft)
+       return (SOX_EOF);
+     }
+ 
+-    header_size -= (strlen(buf) + 1);
++    bytes_read = strlen(buf);
++    header_size -= bytes_read >= header_size ? header_size : bytes_read + 1;
+   }
+ 
+   if (!bytes_per_sample)
+-- 
+2.49.0
+
diff --git a/package/sox/sox.mk b/package/sox/sox.mk
index 6ce9ed3508..384d012763 100644
--- a/package/sox/sox.mk
+++ b/package/sox/sox.mk
@@ -69,6 +69,11 @@ SOX_IGNORE_CVES += CVE-2021-3643 CVE-2021-23210
 # due to the change of CPE ID to sox_project:sox in the NVD database
 SOX_IGNORE_CVES += CVE-2021-23159 CVE-2021-23172 CVE-2023-34318
 
+# 0008-phere-avoid-integer-underflow.patch
+# This entry is NOT stale, those CVEs are not reported by pkg-stats
+# due to the change of CPE ID to libsox_project:libsox in the NVD database
+SOX_IGNORE_CVES += CVE-2021-40426
+
 SOX_CONF_OPTS = \
 	--with-distro="Buildroot" \
 	--disable-stack-protector
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 19/22] package/sox: add fix for CVE-2022-31650, CVE-2023-26590

[Thomas Petazzoni via buildroot]

Patch comes from Debian. The CVEs are not reported by pkg-stats
because the NVD database has associated it to the sox_project:sox
vendor/product CPE. This has been reported to NVD:

  https://lore.kernel.org/buildroot/20250517220322.4da9bdb3@windsurf/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 ...ect-implausibly-large-number-of-chan.patch | 63 +++++++++++++++++++
 package/sox/sox.mk                            |  5 ++
 2 files changed, 68 insertions(+)
 create mode 100644 package/sox/0009-formats-aiff-reject-implausibly-large-number-of-chan.patch

diff --git a/package/sox/0009-formats-aiff-reject-implausibly-large-number-of-chan.patch b/package/sox/0009-formats-aiff-reject-implausibly-large-number-of-chan.patch
new file mode 100644
index 0000000000..fd1d210da1
--- /dev/null
+++ b/package/sox/0009-formats-aiff-reject-implausibly-large-number-of-chan.patch
@@ -0,0 +1,63 @@
+From 452bfd55096e24ff5eb4a5eb491c70125ce05be8 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sat, 17 May 2025 22:55:32 +0200
+Subject: [PATCH] formats+aiff: reject implausibly large number of channels
+
+Bug: https://sourceforge.net/p/sox/bugs/360/
+Bug-Debian: https://bugs.debian.org/1012516
+
+Upstream: https://sourceforge.net/p/sox/bugs/360/
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ src/aiff.c      |  5 +++++
+ src/formats_i.c | 10 ++++++++--
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/aiff.c b/src/aiff.c
+index 3a152c58..6de94f32 100644
+--- a/src/aiff.c
++++ b/src/aiff.c
+@@ -619,6 +619,11 @@ int lsx_aiffstartwrite(sox_format_t * ft)
+            At 48 kHz, 16 bits stereo, this gives ~3 hours of audio.
+            Sorry, the AIFF format does not provide for an indefinite
+            number of samples. */
++        if (ft->signal.channels >= (0x7f000000 / (ft->encoding.bits_per_sample >> 3)))
++        {
++                lsx_fail_errno(ft, SOX_EOF, "too many channels for AIFF header");
++                return SOX_EOF;
++        }
+         return(aiffwriteheader(ft, (uint64_t) 0x7f000000 / ((ft->encoding.bits_per_sample>>3)*ft->signal.channels)));
+ }
+ 
+diff --git a/src/formats_i.c b/src/formats_i.c
+index 7048040d..6a7c27e3 100644
+--- a/src/formats_i.c
++++ b/src/formats_i.c
+@@ -19,6 +19,7 @@
+  */
+ 
+ #include "sox_i.h"
++#include <limits.h>
+ #include <string.h>
+ #include <sys/stat.h>
+ #include <stdarg.h>
+@@ -60,9 +61,14 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels,
+   if (ft->seekable)
+     ft->data_start = lsx_tell(ft);
+ 
+-  if (channels && ft->signal.channels && ft->signal.channels != channels)
++  if (channels && ft->signal.channels && ft->signal.channels != channels) {
+     lsx_warn("`%s': overriding number of channels", ft->filename);
+-  else ft->signal.channels = channels;
++  } else if (channels > SHRT_MAX) {
++    lsx_fail_errno(ft, EINVAL, "implausibly large number of channels");
++    return SOX_EOF;
++  } else {
++    ft->signal.channels = channels;
++  }
+ 
+   if (rate && ft->signal.rate && ft->signal.rate != rate)
+     lsx_warn("`%s': overriding sample rate", ft->filename);
+-- 
+2.49.0
+
diff --git a/package/sox/sox.mk b/package/sox/sox.mk
index 384d012763..f76a338661 100644
--- a/package/sox/sox.mk
+++ b/package/sox/sox.mk
@@ -74,6 +74,11 @@ SOX_IGNORE_CVES += CVE-2021-23159 CVE-2021-23172 CVE-2023-34318
 # due to the change of CPE ID to libsox_project:libsox in the NVD database
 SOX_IGNORE_CVES += CVE-2021-40426
 
+# 0009-formats-aiff-reject-implausibly-large-number-of-chan.patch
+# This entry is NOT stale, those CVEs are not reported by pkg-stats
+# due to the change of CPE ID to sox_project:sox in the NVD database
+SOX_IGNORE_CVES += CVE-2022-31650 CVE-2023-26590
+
 SOX_CONF_OPTS = \
 	--with-distro="Buildroot" \
 	--disable-stack-protector
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 20/22] package/sox: add fix for CVE-2022-31651

[Thomas Petazzoni via buildroot]

Patch comes from Debian. The CVEs are not reported by pkg-stats
because the NVD database has associated it to the sox_project:sox
vendor/product CPE. This has been reported to NVD:

  https://lore.kernel.org/buildroot/20250517220322.4da9bdb3@windsurf/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 ...0010-formats-reject-implausible-rate.patch | 39 +++++++++++++++++++
 package/sox/sox.mk                            |  5 +++
 2 files changed, 44 insertions(+)
 create mode 100644 package/sox/0010-formats-reject-implausible-rate.patch

diff --git a/package/sox/0010-formats-reject-implausible-rate.patch b/package/sox/0010-formats-reject-implausible-rate.patch
new file mode 100644
index 0000000000..5e60b62011
--- /dev/null
+++ b/package/sox/0010-formats-reject-implausible-rate.patch
@@ -0,0 +1,39 @@
+From 6af0a8b32df4d7a83fd52a963a20e6e321f10fd6 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sat, 17 May 2025 23:05:33 +0200
+Subject: [PATCH] formats: reject implausible rate
+
+Bug: https://sourceforge.net/p/sox/bugs/360/
+Bug-Debian: https://bugs.debian.org/1012516
+
+Upstream: https://sourceforge.net/p/sox/bugs/360/
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ src/formats_i.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/formats_i.c b/src/formats_i.c
+index 6a7c27e3..5f5ef979 100644
+--- a/src/formats_i.c
++++ b/src/formats_i.c
+@@ -70,9 +70,15 @@ int lsx_check_read_params(sox_format_t * ft, unsigned channels,
+     ft->signal.channels = channels;
+   }
+ 
+-  if (rate && ft->signal.rate && ft->signal.rate != rate)
++  if (rate && ft->signal.rate && ft->signal.rate != rate) {
+     lsx_warn("`%s': overriding sample rate", ft->filename);
+-  else ft->signal.rate = rate;
++  /* Since NaN comparisons yield false, the negation rejects them. */
++  } else if (!(rate > 0)) {
++    lsx_fail_errno(ft, EINVAL, "invalid rate value");
++    return SOX_EOF;
++  } else {
++    ft->signal.rate = rate;
++  }
+ 
+   if (encoding && ft->encoding.encoding && ft->encoding.encoding != encoding)
+     lsx_warn("`%s': overriding encoding type", ft->filename);
+-- 
+2.49.0
+
diff --git a/package/sox/sox.mk b/package/sox/sox.mk
index f76a338661..c0d903f9d4 100644
--- a/package/sox/sox.mk
+++ b/package/sox/sox.mk
@@ -79,6 +79,11 @@ SOX_IGNORE_CVES += CVE-2021-40426
 # due to the change of CPE ID to sox_project:sox in the NVD database
 SOX_IGNORE_CVES += CVE-2022-31650 CVE-2023-26590
 
+# 0010-formats-reject-implausible-rate.patch
+# This entry is NOT stale, those CVEs are not reported by pkg-stats
+# due to the change of CPE ID to sox_project:sox in the NVD database
+SOX_IGNORE_CVES += CVE-2022-31651
+
 SOX_CONF_OPTS = \
 	--with-distro="Buildroot" \
 	--disable-stack-protector
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 21/22] package/sox: add fix for CVE-2023-32627

[Thomas Petazzoni via buildroot]

Patch comes from Debian. The CVEs are not reported by pkg-stats
because the NVD database has associated it to the sox_project:sox
vendor/product CPE. This has been reported to NVD:

  https://lore.kernel.org/buildroot/20250517220322.4da9bdb3@windsurf/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 ...ilter-null-sampling-rate-in-VOC-code.patch | 37 +++++++++++++++++++
 package/sox/sox.mk                            |  5 +++
 2 files changed, 42 insertions(+)
 create mode 100644 package/sox/0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch

diff --git a/package/sox/0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch b/package/sox/0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch
new file mode 100644
index 0000000000..b67d23c12d
--- /dev/null
+++ b/package/sox/0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch
@@ -0,0 +1,37 @@
+From 2ab4f13af84f224cfbdd997e027c7348156de463 Mon Sep 17 00:00:00 2001
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Sat, 17 May 2025 23:07:34 +0200
+Subject: [PATCH] CVE-2023-32627 Filter null sampling rate in VOC coder
+
+Avoid a divide by zero and out of bound read by rejecting null sampling rate in VOC file
+
+bug: https://sourceforge.net/p/sox/bugs/369/
+bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=2212282
+bug-debian: https://bugs.debian.org/1041112
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-32627
+
+Upstream: https://sourceforge.net/p/sox/bugs/369/
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ src/voc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/voc.c b/src/voc.c
+index 0ca07f94..d8b982c5 100644
+--- a/src/voc.c
++++ b/src/voc.c
+@@ -353,6 +353,11 @@ static size_t read_samples(sox_format_t * ft, sox_sample_t * buf,
+             v->block_remaining = 0;
+             return done;
+           }
++          if(uc == 0) {
++            lsx_fail_errno(ft, EINVAL, "invalid rate value");
++            v->block_remaining = 0;
++            return done;
++          }
+           *buf = SOX_UNSIGNED_8BIT_TO_SAMPLE(uc,);
+           lsx_adpcm_init(&v->adpcm, 6 - v->size, SOX_SAMPLE_TO_SIGNED_16BIT(*buf, ft->clips));
+           ++buf;
+-- 
+2.49.0
+
diff --git a/package/sox/sox.mk b/package/sox/sox.mk
index c0d903f9d4..3c9c939e8c 100644
--- a/package/sox/sox.mk
+++ b/package/sox/sox.mk
@@ -84,6 +84,11 @@ SOX_IGNORE_CVES += CVE-2022-31650 CVE-2023-26590
 # due to the change of CPE ID to sox_project:sox in the NVD database
 SOX_IGNORE_CVES += CVE-2022-31651
 
+# 0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch
+# This entry is NOT stale, those CVEs are not reported by pkg-stats
+# due to the change of CPE ID to sox_project:sox in the NVD database
+SOX_IGNORE_CVES += CVE-2023-32627
+
 SOX_CONF_OPTS = \
 	--with-distro="Buildroot" \
 	--disable-stack-protector
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 22/22] package/tinyxml: set TINYXML_CPE_ID_VERSION

[Thomas Petazzoni via buildroot]

With the recent addition in pkg-stats to detect stale ignore CVE
entries, the CVE-2021-42260 ignore CVE entry is reported as
stale. This is because TINYXML_VERSION is 2.6.2_2, and the CVE is
annotated as affecting versions up to and including 2.6.2.

But in fact, 2.6.2_2 is a special version from the Kodi community, but
it's close to the 2.6.2 release, and CVE-2021-42260 is not fixed in
it. To get meaningful results, let's tell our CVE checking logic that
the tinyxml version is 2.6.2 by setting TINYXML_CPE_ID_VERSION (we're
splitting on the _ and keeping the part before).

Because we're now setting TINYXML_CPE_ID_VERSION, we must drop
TINYXML_CPE_ID_VALID to avoid a check-package warning.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/tinyxml/tinyxml.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/tinyxml/tinyxml.mk b/package/tinyxml/tinyxml.mk
index 01c25f7c1c..c6150b13fe 100644
--- a/package/tinyxml/tinyxml.mk
+++ b/package/tinyxml/tinyxml.mk
@@ -12,7 +12,7 @@ TINYXML_AUTORECONF = YES
 TINYXML_INSTALL_STAGING = YES
 TINYXML_LICENSE = Zlib
 TINYXML_LICENSE_FILES = README
-TINYXML_CPE_ID_VALID = YES
+TINYXML_CPE_ID_VERSION = $(firstword $(subst _,$(space),$(TINYXML_VERSION)))
 
 # 0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch
 TINYXML_IGNORE_CVES += CVE-2021-42260
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 00/22] CVE updates

[Arnout Vandecappelle via buildroot]

On 18/05/2025 10:56, Thomas Petazzoni via buildroot wrote:
> Hello,
> 
> Following the addition of stale ignore CVE entry detection in
> pkg-stats (thanks to great work from Raphaël Mélotte), I looked at the
> stale entries and handled all of them in this patch series.
> 
> While at it, I reported some issues to the NVD maintainers (e-mails
> were Cc'ed to the mailing list). I also found a number of CVEs on sox
> that were not fixed, so I fixed them (except CVE-2021-33844, for which
> the fix doesn't apply to our version and it isn't clear if our version
> is really vulnerable).
> 
> Please have a look and let me know what you think. Patches are
> independent from each other, except of course the large stack of
> patches on the sox package.
> 
> Thomas
> 
> Thomas Petazzoni (22):
>    boot/grub2: drop stale IGNORE_CVES entries
>    package/busybox: drop stale IGNORE_CVES entries
>    package/dnsmasq: drop stale IGNORE_CVES entries
>    package/dovecot: document why the ignore CVE entry is not stale
>    package/exim: drop stale ignore CVE entry
>    package/exim: update comment on CVE-2022-3559
>    package/libopenh264: drop stale ignore CVE entry
>    package/libssh: drop stale ignore CVE entry
>    package/netsnmp: drop stale ignore CVE entries
>    package/qt5/qt5base: drop stale ignore CVE entries, add CPE version
>    package/ripgrep: drop stale ignore CVE entry
>    package/sox: add SOX_CPE_ID_VERSION
>    package/sox: annotate ignore CVE entries
>    package/sox: add ignore CVE entry for CVE-2019-1010004
>    package/sox: rework the 0001 patch to make it Git-applicable
>    package/sox: add fix for CVE-2021-3643 CVE-2021-23210
>    package/sox: add fix for CVE-2021-23159, CVE-2021-23172,
>      CVE-2023-34318
>    package/sox: add fix for CVE-2021-40426
>    package/sox: add fix for CVE-2022-31650, CVE-2023-26590
>    package/sox: add fix for CVE-2022-31651
>    package/sox: add fix for CVE-2023-32627
>    package/tinyxml: set TINYXML_CPE_ID_VERSION

  Applied series to 2025.02.x, thanks.

  Regards,
  Arnout

> 
>   boot/grub2/grub2.mk                           |  8 --
>   package/busybox/busybox.mk                    | 10 ---
>   package/dnsmasq/dnsmasq.mk                    |  3 -
>   package/dovecot/dovecot.mk                    |  4 +
>   package/exim/exim.mk                          |  6 +-
>   package/libopenh264/libopenh264.mk            |  3 -
>   package/libssh/libssh.mk                      |  4 -
>   package/netsnmp/netsnmp.mk                    |  4 -
>   package/qt5/qt5base/qt5base.mk                | 11 +--
>   package/ripgrep/ripgrep.mk                    |  3 -
>   ...-SoX-support-uclibc-based-toolchains.patch |  9 +--
>   ...hould-never-be-0-to-avoid-division-b.patch | 34 +++++++++
>   package/sox/0007-hcom-validate-dictsize.patch | 38 ++++++++++
>   .../0008-phere-avoid-integer-underflow.patch  | 42 +++++++++++
>   ...ect-implausibly-large-number-of-chan.patch | 63 ++++++++++++++++
>   ...0010-formats-reject-implausible-rate.patch | 39 ++++++++++
>   ...ilter-null-sampling-rate-in-VOC-code.patch | 37 +++++++++
>   package/sox/sox.mk                            | 75 ++++++++++++++++++-
>   package/tinyxml/tinyxml.mk                    |  2 +-
>   19 files changed, 337 insertions(+), 58 deletions(-)
>   create mode 100644 package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch
>   create mode 100644 package/sox/0007-hcom-validate-dictsize.patch
>   create mode 100644 package/sox/0008-phere-avoid-integer-underflow.patch
>   create mode 100644 package/sox/0009-formats-aiff-reject-implausibly-large-number-of-chan.patch
>   create mode 100644 package/sox/0010-formats-reject-implausible-rate.patch
>   create mode 100644 package/sox/0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch
> 

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot