Bug 28085

Summary: wavpack new security issue CVE-2020-35738
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: wavpack-5.3.2-1.mga8.src.rpm CVE: CVE-2020-35738
Status comment:

Description David Walser 2021-01-13 19:10:00 CET 
Ubuntu has issued an advisory on January 6:
https://ubuntu.com/security/notices/USN-4682-1

Mageia 7 is also affected.
David Walser 2021-01-13 19:10:22 CET

Status comment: (none) => Patch available from upstream and Ubuntu
Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Lécureuil 2021-01-13 19:33:38 CET 
Fix pushed in mga 8

Version: Cauldron => 7
CC: (none) => mageia
Whiteboard: MGA7TOO => (none)

Comment 2 David Walser 2021-01-13 19:47:16 CET 
Fixed in wavpack-5.3.2-2.mga8.

Mageia 7 fix can be pulled from wavpack-5.1.0-2ubuntu1.5 for Ubuntu 18.04.
Comment 3 Lewis Smith 2021-01-14 14:10:21 CET 
Assigning this to NicolasL as already dealing with it.
CC'ing DavidG as another past committer.

Assignee: bugsquad => mageia
CC: (none) => geiger.david68210

Comment 4 David Walser 2021-01-21 16:59:57 CET 
Fedora has issued an advisory for this today (January 21):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2YZLKYE66EU4XRHTABV5LB2G7ZDZ422F/

The fix is upstream in 5.4.0.
Comment 5 David Walser 2021-06-22 00:37:32 CEST 
Advisory:
========================

Updated wavpack packages fix security vulnerability:

WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples in pack_utils.c
because of an integer overflow in a malloc argument (CVE-2020-35738).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35738
https://ubuntu.com/security/notices/USN-4682-1
========================

Updated packages in core/updates_testing:
========================
wavpack-5.1.0-4.2.mga7
libwavpack1-5.1.0-4.2.mga7
libwavpack-devel-5.1.0-4.2.mga7

from wavpack-5.1.0-4.2.mga7.src.rpm

Assignee: mageia => qa-bugs
Status comment: Patch available from upstream and Ubuntu => (none)

Comment 6 Herman Viaene 2021-06-22 11:20:39 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug 22588 for test, so installed gstreamer1.0-wavpack as well.
At CLI
$  wavpack -h 02\ Zapfenstreich.wav  -o Zapf

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.

created Zapf.wv in 1.22 secs (lossless, 44.81%) 
The resulting Zapf.wv file plays OK and its size is 18.1 Mb compared to the original 32.8, which is 55.18292 % on my calculator, which fits the reported compression nicely.
OK for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2021-06-22 18:02:56 CEST 
Validating. Advisory in Comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-06-22 20:42:39 CEST

Keywords: (none) => advisory
CC: (none) => ouaurelien
CVE: (none) => CVE-2020-35738

Comment 8 Mageia Robot 2021-06-23 19:14:31 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0271.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED