Bug 20205 - wavpack new security issues CVE-2016-10169 and CVE-2016-1017[0-2]
Summary: wavpack new security issues CVE-2016-10169 and CVE-2016-1017[0-2]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/713564/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-01-29 17:42 CET by David Walser
Modified: 2017-03-17 12:13 CET (History)
5 users (show)

See Also:
Source RPM: wavpack-4.80.0-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-01-29 17:42:27 CET
CVEs have been assigned for security issues fixed upstream in wavpack:
http://openwall.com/lists/oss-security/2017/01/28/9

Backporting the patch to the version in Cauldron appears to be non-trivial.  Mageia 5 may also be affected.
Comment 1 Marja Van Waes 2017-01-29 23:27:22 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Whiteboard: (none) => MGA5TOO??
Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 David Walser 2017-02-04 16:31:01 CET
Fedora has issued an advisory for this on February 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A2EUTEEW6WR7IQ6KN2A4U7PXUDL5IO2Y/

URL: (none) => https://lwn.net/Vulnerabilities/713564/

Comment 3 David Walser 2017-02-04 16:32:03 CET
Whether this is applicable to us is in question:
https://bugzilla.redhat.com/show_bug.cgi?id=1417853#c3
Comment 4 Rémi Verschelde 2017-03-06 19:44:19 CET
For Cauldron I pushed 5.1.0 which is the latest upstream release and fixes this bug (and should make it easier to backport other fixes later on).

For Mageia 5, for 4.70.0 there's only part of the patch that can be cherry-picked as described in the comments of the commit: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc#commitcomment-20691383
(it's actually in another file, but I could find the relevant code chunk).
Comment 5 Rémi Verschelde 2017-03-06 19:49:20 CET
Pushed wavpack-4.70.0-3.1.mga5 to core/updates_testing. I also took maintainership of the package.

As the upstream patch is not very explicit about which part fixes which bug, I'm not sure what exact CVE(s) I'm addressing, but I assume it's CVE-2016-10169 as it refers to that read_words.c file.

Advisory:
=========

Updated wavpack packages fix security vulnerability

  Hanno Böck discovered a global buffer overread vulnerability in WavPack's
  word parsing logic (CVE-2016-10169), this update fixes it.

References:
 - http://openwall.com/lists/oss-security/2017/01/23/4
 - https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc


RPMs in core/updates_testing:
=============================

wavpack-4.70.0-3.1.mga5
lib{64,}wavpack1-4.70.0-3.1.mga5
lib{64,}wavpack-devel-4.70.0-3.1.mga5


SRPMs in core/updates_testing:
==============================

wavpack-4.70.0-3.1.mga5

Whiteboard: MGA5TOO?? => (none)
Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs

Dave Hodgins 2017-03-08 03:48:38 CET

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Herman Viaene 2017-03-09 17:26:59 CET
MGA5-32 on Asus A6000VM Xfce
No installation issues.
At CLI:
wavpack -h 02\ Zapfenstreich.wav -o Zapf

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 4.70.0
 Copyright (c) 1998 - 2013 Conifer Software.  All Rights Reserved.

can't write WavPack data, disk probably full!        
can't close WavPack file!        
[tester5@mach6 Muziek]$ wavpack -h 02\ Zapfenstreich.wav -o Zapf

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 4.70.0
 Copyright (c) 1998 - 2013 Conifer Software.  All Rights Reserved.

created Zapf.wv in 5.50 secs (lossless, 44.88%)        

But when I wanted to play (default Parole player) the resulting file, I got the message that a "wavpack decoder" was needed. I had to install gstreamer1.0-wavpack to play the file.
There was a quirk: the first time I played the file, parole played it much too fast. Instead of a military marsch, it seemed rather apt to accompagny a 100m dash. But playing a second and more times did not repeat this.

CC: (none) => herman.viaene
Whiteboard: advisory => advisory MGA5-32-OK

Comment 7 Lewis Smith 2017-03-13 11:48:32 CET
Prior to testing x64
Noted â/usr/bin/wavpack    .wav [uncompressed] -> .wv [compressed but lossless]
      â/usr/bin/wvgain     Adjust gain of a .wv.file
      â/usr/bin/wvunpack   .wv -> .wav
Parole needs a wavpack add-on to play directly .wv files. It suggests several, but as Herman found, just gstreamer1.0-wavpack suffices.

BEFORE update:
 lib64wavpack1-4.70.0-3.mga5
 wavpack-4.70.0-3.mga5

 $ wavpack BachKBconcerto.wav
...
 created BachKBconcerto.wv in 3.54 secs (lossless, 49.93%
The .wv file played back OK with Parole.

 $ wvunpack BachKBconcerto.wv -o BachKBconcerto1.wav
...
 restored BachKBconcerto1.wav in 2.84 secs (lossless, 49.93%)
The restored file played back OK.

 $ wvgain BachKBconcerto.wv
...
 replaygain_track_gain = -2.13 dB        .
 replaygain_track_peak = 0.998657        
 2 ReplayGain values appended
The fiddled-with file played back OK.

AFTER update:
 lib64wavpack1-4.70.0-3.1.mga5
 wavpack-4.70.0-3.1.mga5

$ wavpack Vivaldi-ConcertoRV297II_Largo.wav
...
created Vivaldi-ConcertoRV297II_Largo.wv in 2.32 secs (lossless, 63.06%)

$ wvgain  Vivaldi-ConcertoRV297II_Largo.wv
...
2 ReplayGain values appended

$ wvunpack  Vivaldi-ConcertoRV297II_Largo.wv \
  -o  Vivaldi-ConcertoRV297II_Largo1.wav
...
restored Vivaldi-ConcertoRV297II_Largo1.wav in 2.11 secs (lossless, 63.06%)

All 3 result files played back OK with Parole.

Oh, checked that the library is called.
 $ strace wvunpack  Vivaldi-ConcertoRV297II_Largo.wv \
 -o  Vivaldi-ConcertoRV297II_Largo1.wav 2>&1 | grep wavpack
 open("/lib64/libwavpack.so.1", O_RDONLY|O_CLOEXEC) = 3

Update looks good. Validating.
I see that the advisory is already done - but what about those extra CVE-2016-1017[0-2]? If not included, remove them from the title?

Keywords: (none) => validated_update
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 8 Mageia Robot 2017-03-17 12:13:41 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0077.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.