sox_ng wiki - Distro-Debian


Distro Debian

Of the tested versions of SoX, Debian’s is the one that defends best against CVEs, though the strategy of importing sox.sf.net’s patches for them is less than 100% successful.

Test results for CVE patches in 14.4.2+git20190427–3.5 and -4

Legend
SUCC    Exits zero when it should fail
ABRT    Aborts
ASAN    Works but the Address Sanitizer reports problems
ALOOP Loops forever when compiled with the Address Sanitizer.
            If you give it more than a minute of CPU time, the address sanitizer kills it
            saying it has tried to allocate more than `0xc0000000` bytes of VM so the 10x
            ASAN slowdown is due to SoX beating `malloc()` to death.
1         Exits 1 without ASAN, "succeeds" with.
-         We don't have a test for this bug

Results for Debian bookwork/trixie i386 | Patch | Issue | bookworm32 | trixie32 | bookworm64 | trixie64 | | :—- | :—- | :—: | :—: | :—: | :—: | | 0001-fix-build | #35 | - | - | - | - | | 0002-spelling | #36 | - | - | - | - | | 0003-CVE-2017–15371 | #11 | ASAN | ASAN | ASAN | ASAN | | 0004-CVE-2017–11358 | #8 | OK | OK | OK | OK | | 0005-CVE-2017–15370 | #16 | SUCC | SUCC | SUCC | SUCC | | 0006-CVE-2017–11332 | #7 | OK | OK | OK | OK | | 0007-CVE-2017–11359 | #9 | OK | OK | OK | OK | | 0008-wavpack_check_errors | #37 | OK | OK | 1 | 1 | | 0009-lintian-man-sox |#38 | - | - | - | - | | 0010-xa-validate-channel-count =CVE-2017–18189 | #14 | OK | OK | OK | OK | | 0011-CVE-2017–15372 | #12 | OK | OK | OK | OK | | 0012-CVE-2017–15642 | #13 | OK | OK | OK | OK | | 0013-Handle-vorbis_analysis_headerout-errors =CVE-2017–11333 | #39 | ASAN | ASAN | ASAN | ASAN | | 0014-CVE-2019–8354 | #15 | ABRT | ABRT | ABRT | ABRT | | 0015-CVE-2019–8355 | #17 | OK | OK | OK | OK | | 0016-CVE-2019–8356 | #18 | SUCC
ALOOP | SUCC
ALOOP | SUCC
ALOOP | SUCC
ALOOP | | 0017-CVE-2019–8357 | #19 | SEGV | SEGV | LOOP | LOOP | | 0018-CVE-2019–13590 | #20 | OK | OK | OK | OK | | 0019-fix-resource-leak-comments | #40 | - | - | - | - | | 0020-fix-resource-leak-hcom | #41| - | - | - | - | | 0021-fix-hcom-big-endian | #42 | - | - | - | - | | 0022-CVE-2021–3643 | #22 | ASAN | ASAN | ASAN | ASAN | | 0023-CVE-2021–23159 | #24 | OK | OK | OK | OK | | 0024-CVE-2021–33844 | #26 | OK | OK | OK | OK | | 0025-CVE-2021–40426 | #27 | OK | OK | OK | OK | | 0026-CVE-2022–31650 | #28 | OK | OK | OK | OK | | 0027-CVE-2022–31651 | #29 | OK | OK | OK | OK | | 0028-CVE-2023–32627-Filter-null-sampling-rate-in-VOC-code | #31 | SUCC | SUCC | SUCC | SUCC |

For test results for other unaddressed CVEs and results for sox.sf.net and sox_ng see Testing.

TODO

Add format OPUS

If libopusfile-dev is installed, dpkg-buildpackage says

dh_missing: warning: usr/lib/i386-linux-gnu/sox/libsox_fmt_opus.so exists in debian/tmp but is not installed to anywhere 

Add format sndio

If libsndio-dev is installed, dpkg-buildpackage says

dh_missing: warning: usr/lib/i386-linux-gnu/sox/libsox_fmt_sndio.so exists in debian/tmp but is not installed to anywhere

Recommend libsox-fmt-all

I would recommend, not suggest, libsox-fmt-all so that most people get a SoX that reads/writes most audio formats, which is one of its main purposes.

Recommend ffmpeg

If Debian switches to sox_ng and configures --with-ffmpeg then it would also make sense to recommend ffmpeg so that SoX automatically detects and reads 48 more audio and video formats.


Generated by makehtml.sh on Tue Apr 8 01:17:55 CEST 2025