| Summary: | wavpack new security issues CVE-2016-10169 and CVE-2016-1017[0-2] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, lewyssmith, marja11, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/713564/ | ||
| Whiteboard: | advisory MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | wavpack-4.80.0-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-01-29 17:42:27 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package. Whiteboard:
(none) =>
MGA5TOO?? Fedora has issued an advisory for this on February 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A2EUTEEW6WR7IQ6KN2A4U7PXUDL5IO2Y/ URL:
(none) =>
https://lwn.net/Vulnerabilities/713564/ Whether this is applicable to us is in question: https://bugzilla.redhat.com/show_bug.cgi?id=1417853#c3 For Cauldron I pushed 5.1.0 which is the latest upstream release and fixes this bug (and should make it easier to backport other fixes later on). For Mageia 5, for 4.70.0 there's only part of the patch that can be cherry-picked as described in the comments of the commit: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc#commitcomment-20691383 (it's actually in another file, but I could find the relevant code chunk). Pushed wavpack-4.70.0-3.1.mga5 to core/updates_testing. I also took maintainership of the package. As the upstream patch is not very explicit about which part fixes which bug, I'm not sure what exact CVE(s) I'm addressing, but I assume it's CVE-2016-10169 as it refers to that read_words.c file. Advisory: ========= Updated wavpack packages fix security vulnerability Hanno Böck discovered a global buffer overread vulnerability in WavPack's word parsing logic (CVE-2016-10169), this update fixes it. References: - http://openwall.com/lists/oss-security/2017/01/23/4 - https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc RPMs in core/updates_testing: ============================= wavpack-4.70.0-3.1.mga5 lib{64,}wavpack1-4.70.0-3.1.mga5 lib{64,}wavpack-devel-4.70.0-3.1.mga5 SRPMs in core/updates_testing: ============================== wavpack-4.70.0-3.1.mga5 Whiteboard:
MGA5TOO?? =>
(none)
Dave Hodgins
2017-03-08 03:48:38 CET
Whiteboard:
(none) =>
advisory MGA5-32 on Asus A6000VM Xfce No installation issues. At CLI: wavpack -h 02\ Zapfenstreich.wav -o Zapf WAVPACK Hybrid Lossless Audio Compressor Linux Version 4.70.0 Copyright (c) 1998 - 2013 Conifer Software. All Rights Reserved. can't write WavPack data, disk probably full! can't close WavPack file! [tester5@mach6 Muziek]$ wavpack -h 02\ Zapfenstreich.wav -o Zapf WAVPACK Hybrid Lossless Audio Compressor Linux Version 4.70.0 Copyright (c) 1998 - 2013 Conifer Software. All Rights Reserved. created Zapf.wv in 5.50 secs (lossless, 44.88%) But when I wanted to play (default Parole player) the resulting file, I got the message that a "wavpack decoder" was needed. I had to install gstreamer1.0-wavpack to play the file. There was a quirk: the first time I played the file, parole played it much too fast. Instead of a military marsch, it seemed rather apt to accompagny a 100m dash. But playing a second and more times did not repeat this. CC:
(none) =>
herman.viaene Prior to testing x64
Noted â/usr/bin/wavpack .wav [uncompressed] -> .wv [compressed but lossless]
â/usr/bin/wvgain Adjust gain of a .wv.file
â/usr/bin/wvunpack .wv -> .wav
Parole needs a wavpack add-on to play directly .wv files. It suggests several, but as Herman found, just gstreamer1.0-wavpack suffices.
BEFORE update:
lib64wavpack1-4.70.0-3.mga5
wavpack-4.70.0-3.mga5
$ wavpack BachKBconcerto.wav
...
created BachKBconcerto.wv in 3.54 secs (lossless, 49.93%
The .wv file played back OK with Parole.
$ wvunpack BachKBconcerto.wv -o BachKBconcerto1.wav
...
restored BachKBconcerto1.wav in 2.84 secs (lossless, 49.93%)
The restored file played back OK.
$ wvgain BachKBconcerto.wv
...
replaygain_track_gain = -2.13 dB .
replaygain_track_peak = 0.998657
2 ReplayGain values appended
The fiddled-with file played back OK.
AFTER update:
lib64wavpack1-4.70.0-3.1.mga5
wavpack-4.70.0-3.1.mga5
$ wavpack Vivaldi-ConcertoRV297II_Largo.wav
...
created Vivaldi-ConcertoRV297II_Largo.wv in 2.32 secs (lossless, 63.06%)
$ wvgain Vivaldi-ConcertoRV297II_Largo.wv
...
2 ReplayGain values appended
$ wvunpack Vivaldi-ConcertoRV297II_Largo.wv \
-o Vivaldi-ConcertoRV297II_Largo1.wav
...
restored Vivaldi-ConcertoRV297II_Largo1.wav in 2.11 secs (lossless, 63.06%)
All 3 result files played back OK with Parole.
Oh, checked that the library is called.
$ strace wvunpack Vivaldi-ConcertoRV297II_Largo.wv \
-o Vivaldi-ConcertoRV297II_Largo1.wav 2>&1 | grep wavpack
open("/lib64/libwavpack.so.1", O_RDONLY|O_CLOEXEC) = 3
Update looks good. Validating.
I see that the advisory is already done - but what about those extra CVE-2016-1017[0-2]? If not included, remove them from the title?Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0077.html Status:
NEW =>
RESOLVED |