user/sox: move to legacy/

This package has numerous CVEs and does not currently
build on our pmmx target. It is not required by any
other packages at the moment.

See also: #961.

1 files changed, 30 insertions, 0 deletions

diff --git a/legacy/sox/CVE-2017-11359.patch b/legacy/sox/CVE-2017-11359.patch
new file mode 100644
index 000000000..cb96c4a71
--- /dev/null
+++ b/legacy/sox/CVE-2017-11359.patch
@@ -0,0 +1,30 @@
+From 7b3f30e13e4845bafc93215a372c6eb7dcf04118 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Sun, 5 Nov 2017 17:02:11 +0000
+Subject: [PATCH] wav: fix crash writing header when channel count >64k
+ (CVE-2017-11359)
+
+---
+ src/wav.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/wav.c b/src/wav.c
+index 71fd52ac..eca1cde5 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -1379,6 +1379,12 @@ static int wavwritehdr(sox_format_t * ft, int second_header)
+     long blocksWritten = 0;
+     sox_bool isExtensible = sox_false;    /* WAVE_FORMAT_EXTENSIBLE? */
+ 
++    if (ft->signal.channels > UINT16_MAX) {
++        lsx_fail_errno(ft, SOX_EOF, "Too many channels (%u)",
++                       ft->signal.channels);
++        return SOX_EOF;
++    }
++
+     dwSamplesPerSecond = ft->signal.rate;
+     wChannels = ft->signal.channels;
+     wBitsPerSample = ft->encoding.bits_per_sample;
+-- 
+2.25.0
+