From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Security issues and concerns regarding soc addon Date: Fri, 28 Jul 2023 17:17:53 +0100 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4379822520490151707==" List-Id: --===============4379822520490151707== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Adolf, > On 28 Jul 2023, at 13:51, Adolf Belka wrote: >=20 > Hi All, >=20 > To make it clear this is nothing to do with Core Update 177 Testing. >=20 > Someone on the forum reported a problem with trying to run the sox addon. https://community.ipfire.org/t/sox-on-rpi-doesnt-work/10097 > I had a look at sox and tried to install it and then ran sox --version whic= h then came up with a missing library. > Installed the addon that provided that library and then there was another m= issing library and so on. >=20 > sox kept having missing libraries until I had installed all of the followin= g:- >=20 > alsa > flac > libmad > libid3tag > lame >=20 > The only dependency listed in sox was libvorbis. All these others should re= ally be present as well. This is correct. /usr/bin/sox is directly linked against those. > After installing all those dependencies I ran sox --version and basically s= ox just hangs with no response at all. Ctrl C was required to stop it. > So I was wondering why sox was added to IPFire originally. This was required for music-on-hold on Asterisk and encoding the voice prompt= s. We no longer have Asterisk. > Looking through the web site info I found that the current version was rele= ased in 2015. The last commit looks to have been in 2021. >=20 > I found that Arch Linux is taking a git snapshot version due to there being= many unfixed security vulnerabilities. Additionally they are patching with a= patch that was used in Openwall to deal with 8 CVE's plus a fix for a CVE fi= x that introduced a regression. >=20 > The above does not make me feel very comfortable at all with having sox in = IPFire. Not really, there is no way to execute it. We never accept anything from the = network that we would pipe into sox, so there is no risk from my point of vie= w. > It is described as the Swiss Army knife of sound processing programs and my= view, based on my investigation, is that it should be removed from IPFire. It is. And I suppose we can lose it as it does not serve its original purpose= any more. > If users want to use it then it should be done on machines on the lan conne= cted to IPFire, not on IPFire itself. >=20 >=20 > Looking forward to feedback on my observations and conclusion. Best, -Michael >=20 > Regards, >=20 > Adolf. >=20 > --=20 > Sent from my laptop >=20 --===============4379822520490151707==--