Debian Bug report logs -
#897271
wavpack: CVE-2018-10536 CVE-2018-10537 CVE-2018-10538 CVE-2018-10539 CVE-2018-10540
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 1 May 2018 07:12:01 UTC
Severity: serious
Tags: security, upstream
Found in version wavpack/5.0.0-1
Fixed in versions wavpack/5.0.0-2+deb9u2, wavpack/5.1.0-3
Done: Sebastian Ramacher <sramacher@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#897271; Package src:wavpack.
(Tue, 01 May 2018 07:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Tue, 01 May 2018 07:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wavpack
Version: 5.0.0-1
Severity: serious
Tags: security upstream
Justification: regression from stable, once DSA released
Control: fixed -1 5.0.0-2+deb9u2
Hi,
The following vulnerabilities were published for wavpack, a fixed
version (5.0.0-2+deb9u2) was uploaded to security-master by Moritz
Muehlenhoff to be issues as a DSA.
CVE-2018-10536[0]:
| An issue was discovered in WavPack 5.1.0 and earlier. The WAV parser
| component contains a vulnerability that allows writing to memory
| because ParseRiffHeaderConfig in riff.c does not reject multiple format
| chunks.
CVE-2018-10537[1]:
| An issue was discovered in WavPack 5.1.0 and earlier. The W64 parser
| component contains a vulnerability that allows writing to memory
| because ParseWave64HeaderConfig in wave64.c does not reject multiple
| format chunks.
CVE-2018-10538[2]:
| An issue was discovered in WavPack 5.1.0 and earlier for WAV input.
| Out-of-bounds writes can occur because ParseRiffHeaderConfig in riff.c
| does not validate the sizes of unknown chunks before attempting memory
| allocation, related to a lack of integer-overflow protection within a
| bytes_to_copy calculation and subsequent malloc call, leading to
| insufficient memory allocation.
CVE-2018-10539[3]:
| An issue was discovered in WavPack 5.1.0 and earlier for DSDiff input.
| Out-of-bounds writes can occur because ParseDsdiffHeaderConfig in
| dsdiff.c does not validate the sizes of unknown chunks before
| attempting memory allocation, related to a lack of integer-overflow
| protection within a bytes_to_copy calculation and subsequent malloc
| call, leading to insufficient memory allocation.
CVE-2018-10540[4]:
| An issue was discovered in WavPack 5.1.0 and earlier for W64 input.
| Out-of-bounds writes can occur because ParseWave64HeaderConfig in
| wave64.c does not validate the sizes of unknown chunks before
| attempting memory allocation, related to a lack of integer-overflow
| protection within a bytes_to_copy calculation and subsequent malloc
| call, leading to insufficient memory allocation.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10536
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10536
[1] https://security-tracker.debian.org/tracker/CVE-2018-10537
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10537
[2] https://security-tracker.debian.org/tracker/CVE-2018-10538
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10538
[3] https://security-tracker.debian.org/tracker/CVE-2018-10539
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10539
[4] https://security-tracker.debian.org/tracker/CVE-2018-10540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10540
Regards,
Salvatore
Marked as fixed in versions wavpack/5.0.0-2+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 01 May 2018 07:12:05 GMT) (full text, mbox, link).
Reply sent
to Sebastian Ramacher <sramacher@debian.org>:
You have taken responsibility.
(Tue, 01 May 2018 09:12:21 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 01 May 2018 09:12:21 GMT) (full text, mbox, link).
Message #12 received at 897271-close@bugs.debian.org (full text, mbox, reply):
Source: wavpack
Source-Version: 5.1.0-3
We believe that the bug you reported is fixed in the latest version of
wavpack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 897271@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated wavpack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 01 May 2018 09:52:12 +0200
Source: wavpack
Binary: libwavpack1 libwavpack-dev wavpack
Architecture: source
Version: 5.1.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Description:
libwavpack-dev - audio codec (lossy and lossless) - development files
libwavpack1 - audio codec (lossy and lossless) - library
wavpack - audio codec (lossy and lossless) - encoder and decoder
Closes: 889274 889276 889559 897271
Changes:
wavpack (5.1.0-3) unstable; urgency=medium
.
[ Ondřej Nový ]
* d/control: Set Vcs-* to salsa.debian.org
* d/rules: Remove trailing whitespaces
.
[ Felipe Sateler ]
* Change maintainer address to debian-multimedia@lists.debian.org
.
[ Sebastian Ramacher ]
* debian/control: Bump Standards-Version.
* debian/patches:
- Cherry-pick upstream patches for multiple CVEs (CVE-2018-7254,
CVE-2018-7253, CVE-2018-6767, CVE-2018-10540, CVE-2018-10539,
CVE-2018-10538, CVE-2018-10537, CVE-2018-10536). (Closes: #889274,
#889276, #889559, #897271)
- Fix a memory leak.
Checksums-Sha1:
3fd2f99fd4216fd9246e34b98dd247d5e0131b88 2066 wavpack_5.1.0-3.dsc
533c336dff6f4088a750bd3e85b0b4a9089a6702 9148 wavpack_5.1.0-3.debian.tar.xz
Checksums-Sha256:
ade22011f0aad8bc95e76380e292e0f29e73ab2d4fa34980e8c802fdb3cd97ab 2066 wavpack_5.1.0-3.dsc
9f108ff985b240ab79c67a6ed73d890cd6a2cb5ed0e06fe08fd892941b63f18e 9148 wavpack_5.1.0-3.debian.tar.xz
Files:
16f16f4ef00a3c8c0d66eae7b3b62e69 2066 sound optional wavpack_5.1.0-3.dsc
133792f50af7af58b8de73c33da6670c 9148 sound optional wavpack_5.1.0-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIyBAEBCAAcBQJa6B8dFRxzcmFtYWNoZXJAZGViaWFuLm9yZwAKCRBp8vxRbqcZ
kx1DD/4qdJYQ4p5UpluCTkh8czUijMCxrMsi9Vz3JerSLgDFT72mDJRG1ayMGp2M
BbnXZUt1EdaBt5YNp18uFCX77x7yENn5IchzrrgkWWfPIBkHShqv4c/6P522KCDM
tzkp54YtRldlfevt1axPC9/0NLBHFYE410pd+KBQLRBJY/bp4vNruSYrspvauvNS
HBQrIo14YlbX/O90o2/LB/lLeyZPeUi5Z2o7dWwJg9jzCT8CrZgPukRE05JOg6Kg
FLodtxIF6ehZMNH7+5FuxtVBPxl0C2Mz1ZkvmpFyk9TUNOvEqkAhjBf7ajXa4gLR
OjpBhPyFmkW92euV/lrK0C44xb2PX94fP9lC/yQjJ1S2Et6/UwyomDCZLLt2xEx8
pz26wTSMWIVqa/wpVTVvGxhxkN/Tbh5BL0NhsnjozGyIHmACQEO41Qoh/qKKOSY2
3zd8P10DvrMTnx20b6yPmDt9D/oX9AVWuaqGys95UeUU4hfxJ7XucpUrrZxEzvL1
xUi9ojUa9SCYykwgbse9cZc2865FT4iFda70jaAAfqxALp5NhQXMfRXJQs3PorDK
uguEnzyag20IyIyNpCx/FXd0uIQeJUMAypDmmRm1GDKRXcawZvdRtCeuuDTDJRuj
SzwMc+4aYgNqTW7CYyg42wNsIgBOtAQy8d1mqvoRTppX2hT3Yg==
=QFww
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 15 Jul 2018 07:31:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:46:26 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon