CVEs have been assigned for security issues fixed upstream in wavpack: http://openwall.com/lists/oss-security/2017/01/28/9 Backporting the patch to the version in Cauldron appears to be non-trivial. Mageia 5 may also be affected.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Whiteboard: (none) => MGA5TOO??Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Fedora has issued an advisory for this on February 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A2EUTEEW6WR7IQ6KN2A4U7PXUDL5IO2Y/
URL: (none) => https://lwn.net/Vulnerabilities/713564/
Whether this is applicable to us is in question: https://bugzilla.redhat.com/show_bug.cgi?id=1417853#c3
For Cauldron I pushed 5.1.0 which is the latest upstream release and fixes this bug (and should make it easier to backport other fixes later on). For Mageia 5, for 4.70.0 there's only part of the patch that can be cherry-picked as described in the comments of the commit: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc#commitcomment-20691383 (it's actually in another file, but I could find the relevant code chunk).
Pushed wavpack-4.70.0-3.1.mga5 to core/updates_testing. I also took maintainership of the package. As the upstream patch is not very explicit about which part fixes which bug, I'm not sure what exact CVE(s) I'm addressing, but I assume it's CVE-2016-10169 as it refers to that read_words.c file. Advisory: ========= Updated wavpack packages fix security vulnerability Hanno Böck discovered a global buffer overread vulnerability in WavPack's word parsing logic (CVE-2016-10169), this update fixes it. References: - http://openwall.com/lists/oss-security/2017/01/23/4 - https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc RPMs in core/updates_testing: ============================= wavpack-4.70.0-3.1.mga5 lib{64,}wavpack1-4.70.0-3.1.mga5 lib{64,}wavpack-devel-4.70.0-3.1.mga5 SRPMs in core/updates_testing: ============================== wavpack-4.70.0-3.1.mga5
Whiteboard: MGA5TOO?? => (none)Version: Cauldron => 5Assignee: pkg-bugs => qa-bugs
Whiteboard: (none) => advisoryCC: (none) => davidwhodgins
MGA5-32 on Asus A6000VM Xfce No installation issues. At CLI: wavpack -h 02\ Zapfenstreich.wav -o Zapf WAVPACK Hybrid Lossless Audio Compressor Linux Version 4.70.0 Copyright (c) 1998 - 2013 Conifer Software. All Rights Reserved. can't write WavPack data, disk probably full! can't close WavPack file! [tester5@mach6 Muziek]$ wavpack -h 02\ Zapfenstreich.wav -o Zapf WAVPACK Hybrid Lossless Audio Compressor Linux Version 4.70.0 Copyright (c) 1998 - 2013 Conifer Software. All Rights Reserved. created Zapf.wv in 5.50 secs (lossless, 44.88%) But when I wanted to play (default Parole player) the resulting file, I got the message that a "wavpack decoder" was needed. I had to install gstreamer1.0-wavpack to play the file. There was a quirk: the first time I played the file, parole played it much too fast. Instead of a military marsch, it seemed rather apt to accompagny a 100m dash. But playing a second and more times did not repeat this.
CC: (none) => herman.viaeneWhiteboard: advisory => advisory MGA5-32-OK
Prior to testing x64 Noted â/usr/bin/wavpack .wav [uncompressed] -> .wv [compressed but lossless] â/usr/bin/wvgain Adjust gain of a .wv.file â/usr/bin/wvunpack .wv -> .wav Parole needs a wavpack add-on to play directly .wv files. It suggests several, but as Herman found, just gstreamer1.0-wavpack suffices. BEFORE update: lib64wavpack1-4.70.0-3.mga5 wavpack-4.70.0-3.mga5 $ wavpack BachKBconcerto.wav ... created BachKBconcerto.wv in 3.54 secs (lossless, 49.93% The .wv file played back OK with Parole. $ wvunpack BachKBconcerto.wv -o BachKBconcerto1.wav ... restored BachKBconcerto1.wav in 2.84 secs (lossless, 49.93%) The restored file played back OK. $ wvgain BachKBconcerto.wv ... replaygain_track_gain = -2.13 dB . replaygain_track_peak = 0.998657 2 ReplayGain values appended The fiddled-with file played back OK. AFTER update: lib64wavpack1-4.70.0-3.1.mga5 wavpack-4.70.0-3.1.mga5 $ wavpack Vivaldi-ConcertoRV297II_Largo.wav ... created Vivaldi-ConcertoRV297II_Largo.wv in 2.32 secs (lossless, 63.06%) $ wvgain Vivaldi-ConcertoRV297II_Largo.wv ... 2 ReplayGain values appended $ wvunpack Vivaldi-ConcertoRV297II_Largo.wv \ -o Vivaldi-ConcertoRV297II_Largo1.wav ... restored Vivaldi-ConcertoRV297II_Largo1.wav in 2.11 secs (lossless, 63.06%) All 3 result files played back OK with Parole. Oh, checked that the library is called. $ strace wvunpack Vivaldi-ConcertoRV297II_Largo.wv \ -o Vivaldi-ConcertoRV297II_Largo1.wav 2>&1 | grep wavpack open("/lib64/libwavpack.so.1", O_RDONLY|O_CLOEXEC) = 3 Update looks good. Validating. I see that the advisory is already done - but what about those extra CVE-2016-1017[0-2]? If not included, remove them from the title?
Keywords: (none) => validated_updateWhiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OKCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0077.html
Status: NEW => RESOLVEDResolution: (none) => FIXED