Debian Bug report logs -
#1015790
wavpack: CVE-2022-2476
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
:
Bug#1015790
; Package src:wavpack
.
(Thu, 21 Jul 2022 09:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
.
(Thu, 21 Jul 2022 09:54:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wavpack
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for wavpack.
CVE-2022-2476[0]:
| A null pointer dereference bug was found in wavpack-5.4.0 The results
| from the ASAN log: AddressSanitizer:DEADLYSIGNAL =====================
| ==============================================84257==ERROR:
| AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
| 0x561b47a970c6 bp 0x7fff13952fb0 sp 0x7fff1394fca0 T0) ==84257==The
| signal is caused by a WRITE memory access. ==84257==Hint: address
| points to the zero page. #0 0x561b47a970c5 in main cli/wvunpack.c:834
| #1 0x7efc4f5c0082 in __libc_start_main (/lib/x86_64-linux-
| gnu/libc.so.6+0x24082) #2 0x561b47a945ed in _start
| (/usr/local/bin/wvunpack+0xa5ed) AddressSanitizer can not provide
| additional info. SUMMARY: AddressSanitizer: SEGV cli/wvunpack.c:834 in
| main ==84257==ABORTING
https://github.com/dbry/WavPack/issues/121
https://github.com/dbry/WavPack/commit/25b4a2725d8568212e7cf89ca05ca29d128af7ac
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-2476
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2476
Please adjust the affected versions in the BTS as needed.
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jul 21 13:16:41 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.