Ubuntu has issued an advisory on February 12: https://usn.ubuntu.com/usn/usn-3568-1/ Mageia 6 is also affected.
Status comment: (none) => Patch available from Ubuntu and upstreamWhiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
Assignee: bugsquad => rverscheldeCC: (none) => marja11
Ubuntu has issued an advisory on February 21: https://usn.ubuntu.com/usn/usn-3578-1/ It fixes two additional issues.
Summary: wavpack new security issue CVE-2018-6767 => wavpack new security issue CVE-2018-6767, CVE-2018-7253, CVE-2018-7254Status comment: Patch available from Ubuntu and upstream => Patches available from Ubuntu and upstream
Fedora has issued an advisory for two of these issues on February 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/672IACBRRLUKTIGT2RARC5TBZIJAPXML/
Debian has issued an advisory for this on February 27: https://www.debian.org/security/2018/dsa-4125
Fedora has issued an advisory for this on March 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OG7WH3LO2TAPWXCFLSM2FV3C6KSAVU6E/
Ubuntu has issued an advisory on April 30: https://usn.ubuntu.com/3637-1/ It fixed several new issues.
Summary: wavpack new security issue CVE-2018-6767, CVE-2018-7253, CVE-2018-7254 => wavpack new security issue CVE-2018-6767, CVE-2018-7253, CVE-2018-7254, CVE-2018-1053[6-9], CVE-2018-10540
Debian has issued an advisory for the latest set of issues on May 9: https://www.debian.org/security/2018/dsa-4197
Fedora advisory from May 26 for the new issues: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U2NXF2CRDIR3PAL3CTVE4B7AYNGIPTJN/
Status comment: Patches available from Ubuntu and upstream => Patches available from Ubuntu, Fedora, and upstream
Ubuntu has issued an advisory on December 6: https://usn.ubuntu.com/3839-1/ It fixes two new issues.
Summary: wavpack new security issue CVE-2018-6767, CVE-2018-7253, CVE-2018-7254, CVE-2018-1053[6-9], CVE-2018-10540 => wavpack new security issue CVE-2018-6767, CVE-2018-7253, CVE-2018-7254, CVE-2018-1053[6-9], CVE-2018-10540, CVE-2018-1984[01]
Advisory: ======================== Updated wavpack packages fix security vulnerabilities: Joonun Jang discovered that WavPack incorrectly handled certain RF64 files. An attacker could possibly use this to cause a denial of service (CVE-2018-6767). It was discovered that WavPack incorrectly handled certain DSDIFF files. An attacker could possibly use this to execute arbitrary code or cause a denial of service (CVE-2018-7253). It was discovered that WavPack incorrectly handled certain CAF files. An attacker could possibly use this to cause a denial of service (CVE-2018-7254). Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu discovered that WavPack incorrectly handled certain .wav files. An attacker could possibly use this to execute arbitrary code or cause a denial of service (CVE-2018-10536, CVE-2018-10537). Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu discovered that WavPack incorrectly handled certain .wav files. An attacker could possibly use this to cause a denial of service (CVE-2018-10538, CVE-2018-10539, CVE-2018-10540). It was discovered that WavPack incorrectly handled certain WAV files. An attacker could possibly use this issue to cause a denial of service (CVE-2018-19840, CVE-2018-19841). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6767 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7253 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7254 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10536 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10537 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10538 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10539 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10540 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19840 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19841 https://usn.ubuntu.com/3568-1/ https://usn.ubuntu.com/3578-1/ https://usn.ubuntu.com/3637-1/ https://usn.ubuntu.com/3839-1/ ======================== Updated packages in core/updates_testing: ======================== wavpack-5.1.0-1.1.mga6 libwavpack1-5.1.0-1.1.mga6 libwavpack-devel-5.1.0-1.1.mga6 from wavpack-5.1.0-1.1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6Assignee: rverschelde => qa-bugs
Some pointers: Previous tests of normal usage: https://bugs.mageia.org/show_bug.cgi?id=20205#c7 You may need gstreamer1.0-wavpack also. Test files from CVEs (not per CVE); see the start of host pages for what might happen:- From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889276 https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=889276;filename=poc.wav;msg=5 To run: $ wavpack -y poc.wav From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889559: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=889559;filename=poc.wav;msg=5 To run: $ wavpack -y poc.wav From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889274: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=889274;filename=poc.wav;msg=5 To run: $ wavpack -y poc.wav [I wonder whether these 3 are all the same]. From: https://github.com/dbry/WavPack/issues/30: https://github.com/dbry/WavPack/files/1936236/wavpack_crash1.wav.tar.gz To run: $ wavpack -y wavpack_crash1.wav From: https://github.com/dbry/WavPack/issues/31: https://github.com/dbry/WavPack/files/1936248/wavpack_crash2.wav.tar.gz To run: $ wavpack -y wavpack_crash2.wav From: https://github.com/dbry/WavPack/issues/32: https://github.com/dbry/WavPack/files/1936256/wavpack_crash4.wav.tar.gz To run: $ wavpack -y wavpack_crash4.wav From: https://github.com/dbry/WavPack/issues/33: https://github.com/dbry/WavPack/files/1936263/wavpack_crash5.wav.tar.gz To run: $ wavpack -y wavpack_crash5.wav From: https://github.com/dbry/WavPack/issues/53: https://github.com/dbry/WavPack/files/2616193/wavpack_hangs.zip To run: $ wavpack --blocksize=128 -h $FILE -o /tmp/test.wv -y From: https://github.com/dbry/WavPack/issues/54: https://github.com/dbry/WavPack/files/2628142/crashes.zip To run: $ wvunpack $FILE I think we should concentrate on just these.
CC: (none) => lewyssmith
Re comment 11: poc.wav. It might be as well to number them as they are downloaded, just in case.
CC: (none) => tarazed25
MGA6-32 MATE on IBM Thinkpad R50e No installation issues (added gstreamer1.0-wavpack to the installation) At CLI: $ wavpack -h 02Zapfenstreich.wav -o Zapf WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.1.0 Copyright (c) 1998 - 2017 David Bryant. All Rights Reserved. created Zapf.wv in 3.89 secs (lossless, 44.81%) Resulting Zapf.wv file plays OK in parole and is 19Mb compared to the original 34,4Mb which is according my calculator indeed 55.2% of the original. Functionally OK with me.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Testing Mageia 6 x64, the test files. (In reply to Len Lawrence from comment #12) > Re comment 11: > poc.wav. It might be as well to number them as they are downloaded, just in > case Did! poc1|2|3.wav for the first three in order. BEFORE update: wavpack-5.1.0-1.mga6 lib64wavpack1-5.1.0-1.mga6 AFTER update: wavpack-5.1.0-1.1.mga6 lib64wavpack1-5.1.0-1.1.mga6. 1) Before: $ wavpack -y poc1.wav ... poc1.wav is not a valid .WAV file! Not helpful. After: Same, sigh. 2) Before: $ wavpack -y poc2.wav ... creating poc2.wv,Segmentation fault (core dumped) After: $ wavpack -y poc2.wav ... poc2.wav is not a valid .DFF file! GOOD. 3) Before: $ wavpack -y poc3.wav ... creating poc3.wv,Segmentation fault (core dumped) After: $ wavpack -y poc3.wav ... poc3.wav is not a valid .CAF file! GOOD. 4) Before: $ wavpack -y wavpack_crash1.wav ... creating wavpack_crash1.wv,*** Error in `wavpack': free(): invalid size: 0x0000000001d6d730 *** ======= Backtrace: ========= ... Aborted (core dumped) After: $ wavpack -y wavpack_crash1.wav ... wavpack_crash1.wav is not a valid .WAV file! GOOD. 5) Before: $ wavpack -y wavpack_crash2.wav ... creating wavpack_crash2.wv,*** Error in `wavpack': double free or corruption (out): 0x00000000022a37c0 *** ======= Backtrace: ========= ... Aborted (core dumped) After: $ wavpack -y wavpack_crash2.wav ... wavpack_crash2.wav is not a valid .WAV file! GOOD. 6) Before: $ wavpack -y wavpack_crash4.wav ... creating wavpack_crash4.wv, 0% done...*** Error in `wavpack': munmap_chunk(): invalid pointer: 0x00000000018b73e0 *** ======= Backtrace: ========= ... Aborted (core dumped) After: $ wavpack -y wavpack_crash4.wav ... wavpack_crash4.wav is not a valid .WAV file! GOOD. 7) Before: wavpack -y wavpack_crash5.wav ... creating wavpack_crash5.wv,Segmentation fault (core dumped) After: $ wavpack -y wavpack_crash5.wav ... wavpack_crash5.wav is not a valid .WAV file! GOOD. 8) Before: $ wavpack --blocksize=128 -h h01.wav -o /tmp/test.wv -y ... creating /tmp/test.wv Then it looped, taking I think 100%of a processor (50 of 2). Had to kill it from task manager, ^C did nothing. After: $ wavpack --blocksize=128 -h h01.wav -o /tmp/test.wv -y ... h01.wav: sample rate cannot be zero! GOOD. 9) Before: $ wavpack --blocksize=128 -h h02.wav -o /tmp/test.wv -y ... creating /tmp/test.wv, Same as test 8. After: $ wavpack --blocksize=128 -h h02.wav -o /tmp/test.wv -y ... h02.wav: sample rate cannot be zero! GOOD. 10) $ wvunpack c01.wv ... not compatible with this version of WavPack file! After: $ wvunpack c01.wv Same, not helpful. 11) Before & after: $ wvunpack c02.wv Same as 10, no use here. 12) Befire & after: $ wvunpack c03.wv Same as 10, no use here. So these tests were mostly good, else not reproduceable. Thanks to Herman for good usability test.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0045.html
Status: NEW => RESOLVEDResolution: (none) => FIXED