* Security issues and concerns regarding soc addon
@ 2023-07-28 12:51 Adolf Belka
2023-07-28 16:17 ` Michael Tremer
0 siblings, 1 reply; 2+ messages in thread
From: Adolf Belka @ 2023-07-28 12:51 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1659 bytes --]
Hi All,
To make it clear this is nothing to do with Core Update 177 Testing.
Someone on the forum reported a problem with trying to run the sox addon.
I had a look at sox and tried to install it and then ran sox --version
which then came up with a missing library.
Installed the addon that provided that library and then there was
another missing library and so on.
sox kept having missing libraries until I had installed all of the
following:-
alsa
flac
libmad
libid3tag
lame
The only dependency listed in sox was libvorbis. All these others should
really be present as well.
After installing all those dependencies I ran sox --version and
basically sox just hangs with no response at all. Ctrl C was required to
stop it.
So I was wondering why sox was added to IPFire originally.
Looking through the web site info I found that the current version was
released in 2015. The last commit looks to have been in 2021.
I found that Arch Linux is taking a git snapshot version due to there
being many unfixed security vulnerabilities. Additionally they are
patching with a patch that was used in Openwall to deal with 8 CVE's
plus a fix for a CVE fix that introduced a regression.
The above does not make me feel very comfortable at all with having sox
in IPFire.
It is described as the Swiss Army knife of sound processing programs and
my view, based on my investigation, is that it should be removed from
IPFire.
If users want to use it then it should be done on machines on the lan
connected to IPFire, not on IPFire itself.
Looking forward to feedback on my observations and conclusion.
Regards,
Adolf.
--
Sent from my laptop
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Security issues and concerns regarding soc addon
2023-07-28 12:51 Security issues and concerns regarding soc addon Adolf Belka
@ 2023-07-28 16:17 ` Michael Tremer
0 siblings, 0 replies; 2+ messages in thread
From: Michael Tremer @ 2023-07-28 16:17 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2375 bytes --]
Hello Adolf,
> On 28 Jul 2023, at 13:51, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>
> Hi All,
>
> To make it clear this is nothing to do with Core Update 177 Testing.
>
> Someone on the forum reported a problem with trying to run the sox addon.
https://community.ipfire.org/t/sox-on-rpi-doesnt-work/10097
> I had a look at sox and tried to install it and then ran sox --version which then came up with a missing library.
> Installed the addon that provided that library and then there was another missing library and so on.
>
> sox kept having missing libraries until I had installed all of the following:-
>
> alsa
> flac
> libmad
> libid3tag
> lame
>
> The only dependency listed in sox was libvorbis. All these others should really be present as well.
This is correct. /usr/bin/sox is directly linked against those.
> After installing all those dependencies I ran sox --version and basically sox just hangs with no response at all. Ctrl C was required to stop it.
> So I was wondering why sox was added to IPFire originally.
This was required for music-on-hold on Asterisk and encoding the voice prompts.
We no longer have Asterisk.
> Looking through the web site info I found that the current version was released in 2015. The last commit looks to have been in 2021.
>
> I found that Arch Linux is taking a git snapshot version due to there being many unfixed security vulnerabilities. Additionally they are patching with a patch that was used in Openwall to deal with 8 CVE's plus a fix for a CVE fix that introduced a regression.
>
> The above does not make me feel very comfortable at all with having sox in IPFire.
Not really, there is no way to execute it. We never accept anything from the network that we would pipe into sox, so there is no risk from my point of view.
> It is described as the Swiss Army knife of sound processing programs and my view, based on my investigation, is that it should be removed from IPFire.
It is. And I suppose we can lose it as it does not serve its original purpose any more.
> If users want to use it then it should be done on machines on the lan connected to IPFire, not on IPFire itself.
>
>
> Looking forward to feedback on my observations and conclusion.
Best,
-Michael
>
> Regards,
>
> Adolf.
>
> --
> Sent from my laptop
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-07-28 16:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-28 12:51 Security issues and concerns regarding soc addon Adolf Belka
2023-07-28 16:17 ` Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox