From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Security issues and concerns regarding soc addon
Date: Fri, 28 Jul 2023 17:17:53 +0100 [thread overview]
Message-ID: <BDC83156-0AA2-4899-B318-C49537440CFC@ipfire.org> (raw)
In-Reply-To: <c844f1e2-e5cc-e368-cd54-9096ee41cc81@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2375 bytes --]
Hello Adolf,
> On 28 Jul 2023, at 13:51, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>
> Hi All,
>
> To make it clear this is nothing to do with Core Update 177 Testing.
>
> Someone on the forum reported a problem with trying to run the sox addon.
https://community.ipfire.org/t/sox-on-rpi-doesnt-work/10097
> I had a look at sox and tried to install it and then ran sox --version which then came up with a missing library.
> Installed the addon that provided that library and then there was another missing library and so on.
>
> sox kept having missing libraries until I had installed all of the following:-
>
> alsa
> flac
> libmad
> libid3tag
> lame
>
> The only dependency listed in sox was libvorbis. All these others should really be present as well.
This is correct. /usr/bin/sox is directly linked against those.
> After installing all those dependencies I ran sox --version and basically sox just hangs with no response at all. Ctrl C was required to stop it.
> So I was wondering why sox was added to IPFire originally.
This was required for music-on-hold on Asterisk and encoding the voice prompts.
We no longer have Asterisk.
> Looking through the web site info I found that the current version was released in 2015. The last commit looks to have been in 2021.
>
> I found that Arch Linux is taking a git snapshot version due to there being many unfixed security vulnerabilities. Additionally they are patching with a patch that was used in Openwall to deal with 8 CVE's plus a fix for a CVE fix that introduced a regression.
>
> The above does not make me feel very comfortable at all with having sox in IPFire.
Not really, there is no way to execute it. We never accept anything from the network that we would pipe into sox, so there is no risk from my point of view.
> It is described as the Swiss Army knife of sound processing programs and my view, based on my investigation, is that it should be removed from IPFire.
It is. And I suppose we can lose it as it does not serve its original purpose any more.
> If users want to use it then it should be done on machines on the lan connected to IPFire, not on IPFire itself.
>
>
> Looking forward to feedback on my observations and conclusion.
Best,
-Michael
>
> Regards,
>
> Adolf.
>
> --
> Sent from my laptop
>
prev parent reply other threads:[~2023-07-28 16:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-28 12:51 Adolf Belka
2023-07-28 16:17 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BDC83156-0AA2-4899-B318-C49537440CFC@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox