user/sox: move to legacy/

This package has numerous CVEs and does not currently
build on our pmmx target. It is not required by any
other packages at the moment.

See also: #961.

1 files changed, 28 insertions, 0 deletions

diff --git a/legacy/sox/CVE-2017-11332.patch b/legacy/sox/CVE-2017-11332.patch
new file mode 100644
index 000000000..511049d8e
--- /dev/null
+++ b/legacy/sox/CVE-2017-11332.patch
@@ -0,0 +1,28 @@
+From 6e177c455fb554327ff8125b6e6dde1568610abe Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 16:29:28 +0000
+Subject: [PATCH] wav: fix crash if channel count is zero (CVE-2017-11332)
+
+---
+ src/wav.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/wav.c b/src/wav.c
+index 5202556c..71fd52ac 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -712,6 +712,11 @@ static int startread(sox_format_t * ft)
+     else
+         lsx_report("User options overriding channels read in .wav header");
+ 
++    if (ft->signal.channels == 0) {
++        lsx_fail_errno(ft, SOX_EHDR, "Channel count is zero");
++        return SOX_EOF;
++    }
++
+     if (ft->signal.rate == 0 || ft->signal.rate == dwSamplesPerSecond)
+         ft->signal.rate = dwSamplesPerSecond;
+     else
+-- 
+2.25.0
+