Debian Bug report logs -
#889274
wavpack: CVE-2018-7254: global buffer overflow while running wavpack
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, joonun.jang@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#889274; Package wavpack.
(Sat, 03 Feb 2018 07:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Joonun Jang <joonun.jang@gmail.com>:
New Bug report received and forwarded. Copy sent to joonun.jang@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Sat, 03 Feb 2018 07:39:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: wavpack
Version: 5.1.0-2
Severity: important
Tags: security
global buffer overflow running wavpack with "-y poc.wav" option
Running 'wavpack -y poc.wav' with the attached file raises global buffer overflow
which may allow a remote attacker to cause unspecified impact including denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow
june@june:~/temp/report/wavpack/00000178$ ../../binary/wavpack-5.1.0/cli/.libs/wavpack -y poc.wav
WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.1.0
Copyright (c) 1998 - 2017 David Bryant. All Rights Reserved.
creating poc.wv,=================================================================
==13894==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55555558ac95 at pc 0x7ffff6e96181 bp 0x7fffffffb1f0 sp 0x7fffffffa9a0
READ of size 22 at 0x55555558ac95 thread T0
#0 0x7ffff6e96180 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x58180)
#1 0x555555578d57 in ParseCaffHeaderConfig /home/june/temp/report/binary/wavpack-5.1.0/cli/caff.c:425
#2 0x555555567c3a in pack_file /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1774
#3 0x555555565e5e in main /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1270
#4 0x7ffff65902b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#5 0x5555555609a9 in _start (/home/june/temp/report/binary/wavpack-5.1.0/cli/.libs/wavpack+0xc9a9)
0x55555558ac95 is located 0 bytes to the right of global variable 'TMH_full' defined in 'caff.c:92:19' (0x55555558ac80) of size 21
0x55555558ac95 is located 43 bytes to the left of global variable 'TMH_std' defined in 'caff.c:93:19' (0x55555558acc0) of size 16
SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x58180) in strdup
Shadow bytes around the buggy address:
0x0aab2aaa9540: 00 03 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
0x0aab2aaa9550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aaa9560: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0aab2aaa9570: 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0aab2aaa9580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0aab2aaa9590: 00 00[05]f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
0x0aab2aaa95a0: 03 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
0x0aab2aaa95b0: 03 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
0x0aab2aaa95c0: 06 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
0x0aab2aaa95d0: 00 01 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0aab2aaa95e0: 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13894==ABORTING
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages wavpack depends on:
ii libc6 2.24-11+deb9u1
ii libwavpack1 5.1.0-2
wavpack recommends no packages.
wavpack suggests no packages.
-- no debconf information
[poc.wav (application/octet-stream, attachment)]
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 12 Feb 2018 17:37:18 GMT) (full text, mbox, link).
Changed Bug title to 'wavpack: CVE-2018-7254: global buffer overflow while running wavpack' from 'wavpack: global buffer overflow while running wavpack'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 20 Feb 2018 05:51:03 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 20 Feb 2018 05:51:05 GMT) (full text, mbox, link).
Severity set to 'serious' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 27 Feb 2018 20:18:03 GMT) (full text, mbox, link).
Reply sent
to Sebastian Ramacher <sramacher@debian.org>:
You have taken responsibility.
(Tue, 01 May 2018 09:12:09 GMT) (full text, mbox, link).
Notification sent
to Joonun Jang <joonun.jang@gmail.com>:
Bug acknowledged by developer.
(Tue, 01 May 2018 09:12:09 GMT) (full text, mbox, link).
Message #20 received at 889274-close@bugs.debian.org (full text, mbox, reply):
Source: wavpack
Source-Version: 5.1.0-3
We believe that the bug you reported is fixed in the latest version of
wavpack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 889274@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated wavpack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 01 May 2018 09:52:12 +0200
Source: wavpack
Binary: libwavpack1 libwavpack-dev wavpack
Architecture: source
Version: 5.1.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Description:
libwavpack-dev - audio codec (lossy and lossless) - development files
libwavpack1 - audio codec (lossy and lossless) - library
wavpack - audio codec (lossy and lossless) - encoder and decoder
Closes: 889274 889276 889559 897271
Changes:
wavpack (5.1.0-3) unstable; urgency=medium
.
[ Ondřej Nový ]
* d/control: Set Vcs-* to salsa.debian.org
* d/rules: Remove trailing whitespaces
.
[ Felipe Sateler ]
* Change maintainer address to debian-multimedia@lists.debian.org
.
[ Sebastian Ramacher ]
* debian/control: Bump Standards-Version.
* debian/patches:
- Cherry-pick upstream patches for multiple CVEs (CVE-2018-7254,
CVE-2018-7253, CVE-2018-6767, CVE-2018-10540, CVE-2018-10539,
CVE-2018-10538, CVE-2018-10537, CVE-2018-10536). (Closes: #889274,
#889276, #889559, #897271)
- Fix a memory leak.
Checksums-Sha1:
3fd2f99fd4216fd9246e34b98dd247d5e0131b88 2066 wavpack_5.1.0-3.dsc
533c336dff6f4088a750bd3e85b0b4a9089a6702 9148 wavpack_5.1.0-3.debian.tar.xz
Checksums-Sha256:
ade22011f0aad8bc95e76380e292e0f29e73ab2d4fa34980e8c802fdb3cd97ab 2066 wavpack_5.1.0-3.dsc
9f108ff985b240ab79c67a6ed73d890cd6a2cb5ed0e06fe08fd892941b63f18e 9148 wavpack_5.1.0-3.debian.tar.xz
Files:
16f16f4ef00a3c8c0d66eae7b3b62e69 2066 sound optional wavpack_5.1.0-3.dsc
133792f50af7af58b8de73c33da6670c 9148 sound optional wavpack_5.1.0-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIyBAEBCAAcBQJa6B8dFRxzcmFtYWNoZXJAZGViaWFuLm9yZwAKCRBp8vxRbqcZ
kx1DD/4qdJYQ4p5UpluCTkh8czUijMCxrMsi9Vz3JerSLgDFT72mDJRG1ayMGp2M
BbnXZUt1EdaBt5YNp18uFCX77x7yENn5IchzrrgkWWfPIBkHShqv4c/6P522KCDM
tzkp54YtRldlfevt1axPC9/0NLBHFYE410pd+KBQLRBJY/bp4vNruSYrspvauvNS
HBQrIo14YlbX/O90o2/LB/lLeyZPeUi5Z2o7dWwJg9jzCT8CrZgPukRE05JOg6Kg
FLodtxIF6ehZMNH7+5FuxtVBPxl0C2Mz1ZkvmpFyk9TUNOvEqkAhjBf7ajXa4gLR
OjpBhPyFmkW92euV/lrK0C44xb2PX94fP9lC/yQjJ1S2Et6/UwyomDCZLLt2xEx8
pz26wTSMWIVqa/wpVTVvGxhxkN/Tbh5BL0NhsnjozGyIHmACQEO41Qoh/qKKOSY2
3zd8P10DvrMTnx20b6yPmDt9D/oX9AVWuaqGys95UeUU4hfxJ7XucpUrrZxEzvL1
xUi9ojUa9SCYykwgbse9cZc2865FT4iFda70jaAAfqxALp5NhQXMfRXJQs3PorDK
uguEnzyag20IyIyNpCx/FXd0uIQeJUMAypDmmRm1GDKRXcawZvdRtCeuuDTDJRuj
SzwMc+4aYgNqTW7CYyg42wNsIgBOtAQy8d1mqvoRTppX2hT3Yg==
=QFww
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 30 May 2018 07:28:59 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:02:50 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon