On Mon, Jun 27, 2022 at 04:01:46PM +0200, Enrico Zini wrote: > Hello, > > every once in a while I have a look at sox, which has many CVEs open and > no updates since 3 months, wondering what could be done about it. > > It seems that all the CVEs have reproducers but not patches. Should I > try to work on patches for some of them? I don't mind doing it but it > may be nontrivial work, as it may require reading up on the specific > audio formats involved. > > Otherwise, should the issues that have been without patches for months > now be tagged with no-dsa for the time being, as most of them are for > buster and bullseye?
The only relevant open CVE ID for sox is CVE-2021-40426, the other ones are completely negligible. But it's unclear to which extent CVE-2021-40426 was reported upstream, https://talosintelligence.com/vulnerability_reports/TALOS-2021-1434 mentions "2022-01-14 - Follow up with vendor; vendor acknowledged", but it's e.g. not found in the existing bug tracker, so I think reporting it in their tracker with a question of the status of a patch is a sensible first step. If they state they are too busy, work could resume on writing one. Cheers, Moritz
