Debian Bug report logs -
#932061
wavpack: CVE-2019-1010319
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#932061; Package src:wavpack.
(Sun, 14 Jul 2019 15:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Sun, 14 Jul 2019 15:30:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wavpack
Version: 5.1.0-6
Severity: important
Tags: security upstream
Forwarded: https://github.com/dbry/WavPack/issues/68
Hi,
The following vulnerability was published for wavpack.
CVE-2019-1010319[0]:
| WavPack 5.1.0 and earlier is affected by: CWE-457: Use of
| Uninitialized Variable. The impact is: Unexpected control flow,
| crashes, and segfaults. The component is: ParseWave64HeaderConfig
| (wave64.c:211). The attack vector is: Maliciously crafted .wav file.
| The fixed version is: After commit https://github.com/dbry/WavPack/com
| mit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-1010319
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010319
[1] https://github.com/dbry/WavPack/issues/68
[2] https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Sebastian Ramacher <sramacher@debian.org>:
You have taken responsibility.
(Sun, 14 Jul 2019 19:39:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 14 Jul 2019 19:39:08 GMT) (full text, mbox, link).
Message #10 received at 932061-close@bugs.debian.org (full text, mbox, reply):
Source: wavpack
Source-Version: 5.1.0-7
We believe that the bug you reported is fixed in the latest version of
wavpack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 932061@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated wavpack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 14 Jul 2019 21:10:51 +0200
Source: wavpack
Architecture: source
Version: 5.1.0-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 932060 932061
Changes:
wavpack (5.1.0-7) unstable; urgency=medium
.
* debian/patches: Cherry-pick upstream patches to fix use of uninitialized
values. (CVE-2019-1010317, CVE-2019-1010319) (Closes: #932060, #932061)
* debian/: Bump debhelper compat to 12.
* debian/control: Bump Standards-Version.
Checksums-Sha1:
e9bec98e6a87025925d98f33ce1d252c6d6e635c 2062 wavpack_5.1.0-7.dsc
e78d7732f78cfaea8aeedab14931c70977b7c503 11300 wavpack_5.1.0-7.debian.tar.xz
Checksums-Sha256:
ce455bf7945103854574b33358899c28cad86f4769dbea3e0a4c841e0e97992a 2062 wavpack_5.1.0-7.dsc
bf9b0a55f459ac94181fa5f49a86512c1f40ac272bb84d5feb2bd66efbba1ce8 11300 wavpack_5.1.0-7.debian.tar.xz
Files:
42306b294381403f908d83ac722e0b08 2062 sound optional wavpack_5.1.0-7.dsc
dc22df28c59e9cf1bd0929d1a88c19cc 11300 sound optional wavpack_5.1.0-7.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAl0rfr4ACgkQafL8UW6n
GZM2jRAApQoW4H45jtrQSwh+Sy+MKBB+I+hQCzQ9ManNrTOrdLBxQ+cR7C/+pP+f
TJt+WhMf7yAdM3X5H6YtN1oQbVxB1cWWZliBONfCjB75TP1IQv5K0WVy5cgzHvwe
eTYhcQEcYY4XICG+UUSl47ADrZZ0bBVDAajeHPz9x2/aHzRptOLybhnrujA8reae
2pIAnyRqxvslrT+dVagRKMgCRljijnx2wWlKxtwb7hNfgFbEhcGgC6tToTxEfwze
y2HoZHvK2XKbCH356VS79egxUQ9Hn67gQGmYECULw+GdOGuxFAVu6ynqPHx6jpjk
CZt3pTphvfGlnKZVFIYbniYlRPivMtWZCX+OIjj88FueycUApOX+k45sXva+ut9Z
8SVf8+OWxZ85t5oSx3vjaJeuTtFsHnsEvsRJdsHgNTahMm8m0tKBQOa48oOBlepU
zJS53tnF3XyuhmsqSVQRHI5GghEOMfNWbSD8LU2DHAgmavSn9I2oVzge/cPG0kfj
vtu3VIomvj/+mUdE7qfrLJANnKdK+SaxWwNPImFkWlnKhjXmB7YsHnPIvBBDBSY0
t7NSkT1a5dOgpQFQ2+tHmMAt+HkW6OQ3R8LggDTo59yITZ2kAJlvYih0SFgCIkAr
m0fj4nnqxu7HNVSp5Q0YCXcpd5+YXvBgI9uGxLSMMTTgeaYS1yQ=
=qIJO
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Jul 15 11:21:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon