| Summary: | wavpack new security issue CVE-2021-44269 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | wavpack-5.3.2-2.mga8.src.rpm | CVE: | CVE-2021-44269 |
| Status comment: | |||
|
Description
David Walser
2022-03-29 00:46:37 CEST
David Walser
2022-03-29 00:46:57 CEST
Status comment:
(none) =>
Patches available from upstream and openSUSE This SRPM has been maintained by various packagers, so assigning this globally. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated packages fix a security vulnerability: An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c, tainted variable cnt is too large, that makes pointer sptr read beyond heap bound. (CVE-2021-44269) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44269 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MA3ZHJ2SJ5F7RD4MVUADLVJ2VXDS4AOS/ ======================== Updated packages in core/updates_testing: ======================== lib(64)wavpack1-5.3.2-2.1.mga8 lib(64)wavpack-devel-5.3.2-2.1.mga8 wavpack-5.3.2-2.1.mga8 from SRPM: wavpack-5.3.2-2.1.mga8.src.rpm Source RPM:
wavpack-5.4.0-2.mga9.src.rpm =>
wavpack-5.3.2-2.mga8.src.rpm Investigated the PoC but not sure of how to test it. Apparently, only the cli program is affected. CVE-2021-44269 https://github.com/dbry/WavPack/issues/110 $ unzip crash.zip $ wavpack crash.wav WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.3.2 Copyright (c) 1998 - 2020 David Bryant. All Rights Reserved. warning: DSF file has non-integer bytes/second! Segmentation fault (core dumped) After updating: $ wavpack crash.wav WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.3.2 Copyright (c) 1998 - 2020 David Bryant. All Rights Reserved. crash.wav is not a valid .DSF file! Well and good. Followed Brian's notes at bug 25265 for testing. $ wavpack BoarsHeadCarol.wav WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.3.2 Copyright (c) 1998 - 2020 David Bryant. All Rights Reserved. created BoarsHeadCarol.wv in 0.22 secs (lossless, 39.69%) The wv output file sounded fine with mplayer. Copied it to a test directory and unpacked it there. $ wvunpack BoarsHeadCarol.wv WVUNPACK Hybrid Lossless Audio Decompressor Linux Version 5.3.2 Copyright (c) 1998 - 2020 David Bryant. All Rights Reserved. restored BoarsHeadCarol.wav in 0.20 secs (lossless, 39.69%) The restored file was exactly the same size as the original and played fine. As Brian noted, the wvtag utility does not supply any useful information. $ wvgain *.wv WVGAIN ReplayGain Scanner/Tagger for WavPack Linux Version 5.3.2 Copyright (c) 2005 - 2020 David Bryant. All Rights Reserved. replaygain_track_gain = -5.18 dB replaygain_track_peak = 0.988434 $ wvgain -c copy.wv WVGAIN ReplayGain Scanner/Tagger for WavPack Linux Version 5.3.2 Copyright (c) 2005 - 2020 David Bryant. All Rights Reserved. 2 ReplayGain values cleaned $ wvunpack copy.wv restored copy.wav in 0.19 secs (lossless, 39.69%) Difficult to detect any difference using mplayer. Anyway, this looks good. CC:
(none) =>
tarazed25 Validating. Advisory in Comment 2. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-03-31 20:52:43 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0125.html Resolution:
(none) =>
FIXED |