Debian Bug report logs -
#978548
wavpack: CVE-2020-35738
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#978548; Package src:wavpack.
(Mon, 28 Dec 2020 14:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Mon, 28 Dec 2020 14:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wavpack
Version: 5.3.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/dbry/WavPack/issues/91
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for wavpack.
CVE-2020-35738[0]:
| WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples in
| pack_utils.c because of an integer overflow in a malloc argument.
| NOTE: some third-parties claim that there are later "unofficial"
| releases through 5.3.2, which are also affected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-35738
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35738
[1] https://github.com/dbry/WavPack/issues/91
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions wavpack/5.1.0-6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 29 Dec 2020 15:42:03 GMT) (full text, mbox, link).
Reply sent
to Sebastian Ramacher <sramacher@debian.org>:
You have taken responsibility.
(Wed, 30 Dec 2020 09:51:02 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 30 Dec 2020 09:51:02 GMT) (full text, mbox, link).
Message #12 received at 978548-close@bugs.debian.org (full text, mbox, reply):
Source: wavpack
Source-Version: 5.3.0-2
Done: Sebastian Ramacher <sramacher@debian.org>
We believe that the bug you reported is fixed in the latest version of
wavpack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 978548@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated wavpack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 30 Dec 2020 10:40:48 +0100
Source: wavpack
Architecture: source
Version: 5.3.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 978548
Changes:
wavpack (5.3.0-2) unstable; urgency=medium
.
* debian/control: Bump Standards-Version
* debian/: Bump debhelper compat to 13
* debian/patches: Add upstream patches for CVE-2020-35738 (Closes: #978548)
Checksums-Sha1:
ed2c34da806e1c03f1c69b5635d63f3251d10215 2059 wavpack_5.3.0-2.dsc
28ad3c0b6aa84d783dc0ace90fe4c68a11d7e95a 7268 wavpack_5.3.0-2.debian.tar.xz
Checksums-Sha256:
cce90e767a5c78ca5fa333ceb417212422bf44bbe075e2a4d1bd522d285a780b 2059 wavpack_5.3.0-2.dsc
b9b67868d9b2e85c4895a078a7020b300c01d75c63ff6d90f2b876680b56cb9a 7268 wavpack_5.3.0-2.debian.tar.xz
Files:
147e7b591215a6fd21afb38f940ef7e8 2059 sound optional wavpack_5.3.0-2.dsc
90bacfa26ba7df3d64e22f906ec46c42 7268 sound optional wavpack_5.3.0-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAl/sS5kACgkQafL8UW6n
GZPBNhAAp6t5HZM1xu5w/FVs9leps1APEX+5VFUQk5Ua6ro9G16nnpqf+NIHRjDM
LhHme8MThG9SYy2brvteg84emMh+xgR7d+ViG5wz3uV0nW3FMULC2MvXKq5gmUjJ
QZt0Ue+WU06lED6JjrS4EZmfMD7FC6f0t5iTeZuxQUhDU2zlMC5Aw3Huum9J48Aq
rIvYj0rPJEw168zcIrorEqqQzobN9T0U7L9d59XARmJQq99fbcyx6dnGUWA57KSk
FiG/T0V58UGsWMhfv7zkNv725rJDqqQ9UnmycSbVC3dITGJj3vnqkVflmZY2bNJU
U32WK2JRd+86ME10cXM2A5gBneO9uMUOxL2my7yeSQcRloXQesvg9Z3zDcJdfnxM
89rAdX2KLc+/iqZebuFBBRxfhZCwTwT1eeh53Fjktg4r6xSdVthiEY3R3mcfczxB
I+fnzizrK1NY+c7wpfGsBdDoKqr39KmDUAAEED38yzkbXgFM/8xnd9P6/fdX99ht
oIPD5tIG6kh/f+y281O5uGzumIhIvKDKpvTqB0NPzERCUkxxJvhjHrLoUup5U80T
jIiJpK7BVv12PIndQQ2nERVTJWQvl7HwNJyPrlVQWso2wARYXzT3wYgfnf10xjMk
8rTi/BiZ7UDuL+F7KK7d6kfCKCflJ/Le87SWMhmsC2NOBGHLNfQ=
=yf1o
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jan 9 11:37:46 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon