Bug 25265

Assigning to our registered wavpack maintainer, CC'ing the most recent submitter.

Assignee: bugsquad => rverschelde
CC: (none) => geiger.david68210, marja11

Ubuntu has issued an advisory on July 16:
https://usn.ubuntu.com/4062-1/

Summary: wavpack new security issue CVE-2019-11498 => wavpack new security issues CVE-2019-11498 and CVE-2019-101031[5789]

Done for mga6, mga7 and Cauldron!

Thanks David.  I see that you patched CVE-2019-11498 in Cauldron in May but did not file a bug.  Please always file a bug or let me know when fixing a security issue.

Version: Cauldron => 7
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO

Advisory (Mageia 6):
========================

Updated wavpack packages fixes security vulnerabilities:

It was discovered that WavPack incorrectly handled certain DFF files. An
attacker could possibly use this issue to cause a denial of service
(CVE-2019-11498).

Rohan Padhye discovered that WavPack incorrectly handled certain WAV files. An
attacker could possibly use this issue to cause a denial of service
(CVE-2019-1010315, CVE-2019-1010317, CVE-2019-1010318, CVE-2019-1010319).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11498
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010317
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010318
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010319
https://usn.ubuntu.com/3960-1/
https://usn.ubuntu.com/4062-1/
========================

Updated packages in core/updates_testing:
========================
wavpack-5.1.0-1.2.mga6
libwavpack1-5.1.0-1.2.mga6
libwavpack-devel-5.1.0-1.2.mga6

from wavpack-5.1.0-1.2.mga6.src.rpm


Advisory (Mageia 7):
========================

Updated wavpack packages fixes security vulnerabilities:

Rohan Padhye discovered that WavPack incorrectly handled certain WAV files. An
attacker could possibly use this issue to cause a denial of service
(CVE-2019-1010315, CVE-2019-1010317, CVE-2019-1010318, CVE-2019-1010319).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010317
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010318
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010319
https://usn.ubuntu.com/4062-1/
========================

Updated packages in core/updates_testing:
========================
wavpack-5.1.0-4.1.mga7
libwavpack1-5.1.0-4.1.mga7
libwavpack-devel-5.1.0-4.1.mga7

from wavpack-5.1.0-4.1.mga7.src.rpm

Assignee: rverschelde => qa-bugs

$ uname -a
Linux localhost.localdomain 5.2.7-desktop-1.mga7 #1 SMP Wed Aug 7 10:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

- lib64wavpack1-5.1.0-4.1.mga7.x86_64
- wavpack-5.1.0-4.1.mga7.x86_64

[brian@localhost tmp]$ wavpack

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.

 Usage:   WAVPACK [-options] infile[.wav]|infile.ext|- [...] [-o outfile[.wv]|outpath|-]
             (default is lossless; multiple input files allowed)

 Formats: .wav (default, bwf/rf64 okay)  .wv (transcode, with tags)
          .w64 (Sony Wave64)             .caf (Core Audio Format)
          .dff (Philips DSDIFF)          .dsf (Sony DSD stream)

 Options: -bn = enable hybrid compression, n = 2.0 to 23.9 bits/sample, or
                                           n = 24-9600 kbits/second (kbps)
          -c  = create correction file (.wvc) for hybrid mode (=lossless)
          -f  = fast mode (fast, but some compromise in compression ratio)
          -h  = high quality (better compression ratio, but slower)
          -v  = verify output file integrity after write (no pipes)
          -x  = extra encode processing (no decoding speed penalty)
          --help = complete help

 Web:     Visit www.wavpack.com for latest version and info
[brian@localhost tmp]$ wavpack *.wav 

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.

created 09 - Amin Bhatia - The Ship.wv in 0.82 secs (lossless, 62.90%)                                
[brian@localhost tmp]$ ls -ltr
total 39896
-rw-rw-r-- 1 brian brian 29795180 Oct 23  2017 '09 - Amin Bhatia - The Ship.wav'
-rw-r--r-- 1 brian brian 11053130 Aug 20 20:57 '09 - Amin Bhatia - The Ship.wv'

mplayer was able to play the *.wv file.

This seems to be working so far.

brian@localhost tmp]$ wvunpack *.wv

 WVUNPACK  Hybrid Lossless Audio Decompressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.

restored 09 - Amin Bhatia - The Ship.wav in 0.68 secs (lossless, 62.90%) 

[brian@localhost tmp]$ wvgain *.wv

 WVGAIN  ReplayGain Scanner/Tagger for WavPack  Linux Version 5.1.0
 Copyright (c) 2005 - 2017 David Bryant.  All Rights Reserved.

replaygain_track_gain = +9.41 dB                                
replaygain_track_peak = 0.252197                                
2 ReplayGain values appended         

I used wvtag -l to list out the attributes in the file.  That seemed to work, no much there.

All of this is working

CC: (none) => brtians1
Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK

mga6, x86_64
In the middle of retrieving and testing POC files. 
Back later.

CC: (none) => tarazed25

mga6, x86_64

*Before update*

CVE-2019-1010315
https://github.com/dbry/WavPack/issues/65
$ wavpack divzero.wav
[...]
creating divzero.wv,Floating point exception (core dumped)

CVE-2019-1010317
https://github.com/dbry/WavPack/issues/66
$ wavpack uninit-caff.wav
[...]
.CAF file uninit-caff.wav has an invalid data chunk size, probably is corrupt!

CVE-2019-1010318 -> CVE-2019-11498
https://github.com/dbry/WavPack/issues/67
$ valgrind wavpack uninit-config.wav
[...]
uninit-config.wav: sample rate cannot be zero!
[...]

CVE-2019-1010319
https://github.com/dbry/WavPack/issues/68
$ valgrind wavpack uninit-divzero-waveheader.wav
[...]
uninit-divzero-waveheader.wav is not a valid .W64 file!
[...]

*After update*

CVE-2019-1010315
$ wavpack divzero.wav
 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.
divzero.wav is not a valid .DFF file!                           

<good result>

CVE-2019-1010317
$ wavpack uninit-caff.wav
[...]
uninit-caff.wav is not a valid .CAF file!

<good>

CVE-2019-11498
$ valgrind wavpack uninit-config.wav
The output contains:
uninit-config.wav is not a valid .DFF file!

<good>

CVE-2019-1010319
$ valgrind wavpack uninit-divzero-waveheader.wav
[...]
uninit-divzero-waveheader.wav is not a valid .W64 file!
[...]

<good - as it was before the update>

Passes on all the POC.

*Utility tests*

$ cd ~/tmp/music

$ wavpack -h ASuiteOfTheatreMusic.wav
 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.
created ASuiteOfTheatreMusic.wv in 1.62 secs (lossless, 51.74%)              

Sounds fine when run by mplayer.
$ ll
-rw-r--r-- 1 lcl lcl 84267500 Jun 27  2012 ASuiteOfTheatreMusic.wav
-rw-r--r-- 1 lcl lcl 40666586 Aug 24 17:20 ASuiteOfTheatreMusic.wv
$ wvunpack ASuiteOfTheatreMusic.wv
 WVUNPACK  Hybrid Lossless Audio Decompressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.
overwrite ASuiteOfTheatreMusic.wav (yes/no/all)? yes
restored ASuiteOfTheatreMusic.wav in 1.40 secs (lossless, 51.74%)
$ ll
-rw-r--r-- 1 lcl lcl 84267500 Aug 24 17:28 ASuiteOfTheatreMusic.wav
-rw-r--r-- 1 lcl lcl 40666586 Aug 24 17:20 ASuiteOfTheatreMusic.wv

The restored WAV file played perfectly in mplayer.

Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0230.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0231.html