Bug 22588 - wavpack new security issue CVE-2018-6767, CVE-2018-7253, CVE-2018-7254, CVE-2018-1053[6-9], CVE-2018-10540, CVE-2018-1984[01]
Summary: wavpack new security issue CVE-2018-6767, CVE-2018-7253, CVE-2018-7254, CVE-2...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-02-14 12:10 CET by David Walser
Modified: 2019-01-23 16:51 CET (History)
5 users (show)

See Also:
Source RPM: wavpack-5.1.0-1.mga6.src.rpm
CVE:
Status comment: Patches available from Ubuntu, Fedora, and upstream


Attachments

Description David Walser 2018-02-14 12:10:02 CET
Ubuntu has issued an advisory on February 12:
https://usn.ubuntu.com/usn/usn-3568-1/

Mageia 6 is also affected.
David Walser 2018-02-14 12:10:22 CET

Status comment: (none) => Patch available from Ubuntu and upstream
Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-02-14 16:58:36 CET
Assigning to the registered maintainer.

Assignee: bugsquad => rverschelde
CC: (none) => marja11

Comment 2 David Walser 2018-02-24 18:29:20 CET
Ubuntu has issued an advisory on February 21:
https://usn.ubuntu.com/usn/usn-3578-1/

It fixes two additional issues.

Summary: wavpack new security issue CVE-2018-6767 => wavpack new security issue CVE-2018-6767, CVE-2018-7253, CVE-2018-7254
Status comment: Patch available from Ubuntu and upstream => Patches available from Ubuntu and upstream

Comment 3 David Walser 2018-03-03 18:44:04 CET
Fedora has issued an advisory for two of these issues on February 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/672IACBRRLUKTIGT2RARC5TBZIJAPXML/
Comment 4 David Walser 2018-03-03 20:52:57 CET
Debian has issued an advisory for this on February 27:
https://www.debian.org/security/2018/dsa-4125
Comment 5 David Walser 2018-03-11 14:29:01 CET
Fedora has issued an advisory for this on March 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OG7WH3LO2TAPWXCFLSM2FV3C6KSAVU6E/
Comment 6 David Walser 2018-05-01 18:07:46 CEST
Ubuntu has issued an advisory on April 30:
https://usn.ubuntu.com/3637-1/

It fixed several new issues.

Summary: wavpack new security issue CVE-2018-6767, CVE-2018-7253, CVE-2018-7254 => wavpack new security issue CVE-2018-6767, CVE-2018-7253, CVE-2018-7254, CVE-2018-1053[6-9], CVE-2018-10540

Comment 7 David Walser 2018-05-12 23:57:19 CEST
Debian has issued an advisory for the latest set of issues on May 9:
https://www.debian.org/security/2018/dsa-4197
Comment 8 David Walser 2018-06-07 21:54:29 CEST
Fedora advisory from May 26 for the new issues:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U2NXF2CRDIR3PAL3CTVE4B7AYNGIPTJN/

Status comment: Patches available from Ubuntu and upstream => Patches available from Ubuntu, Fedora, and upstream

Comment 9 David Walser 2018-12-26 02:08:56 CET
Ubuntu has issued an advisory on December 6:
https://usn.ubuntu.com/3839-1/

It fixes two new issues.

Summary: wavpack new security issue CVE-2018-6767, CVE-2018-7253, CVE-2018-7254, CVE-2018-1053[6-9], CVE-2018-10540 => wavpack new security issue CVE-2018-6767, CVE-2018-7253, CVE-2018-7254, CVE-2018-1053[6-9], CVE-2018-10540, CVE-2018-1984[01]

Comment 10 David Walser 2019-01-21 02:34:58 CET
Advisory:
========================

Updated wavpack packages fix security vulnerabilities:

Joonun Jang discovered that WavPack incorrectly handled certain RF64 files. An
attacker could possibly use this to cause a denial of service (CVE-2018-6767).

It was discovered that WavPack incorrectly handled certain DSDIFF files. An
attacker could possibly use this to execute arbitrary code or cause a denial of
service (CVE-2018-7253).

It was discovered that WavPack incorrectly handled certain CAF files. An
attacker could possibly use this to cause a denial of service (CVE-2018-7254).

Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu
discovered that WavPack incorrectly handled certain .wav files. An attacker
could possibly use this to execute arbitrary code or cause a denial of service
(CVE-2018-10536, CVE-2018-10537).

Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu
discovered that WavPack incorrectly handled certain .wav files. An attacker
could possibly use this to cause a denial of service (CVE-2018-10538,
CVE-2018-10539, CVE-2018-10540).

It was discovered that WavPack incorrectly handled certain WAV files. An
attacker could possibly use this issue to cause a denial of service
(CVE-2018-19840, CVE-2018-19841).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6767
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7253
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7254
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10536
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10537
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10538
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10539
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19840
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19841
https://usn.ubuntu.com/3568-1/
https://usn.ubuntu.com/3578-1/
https://usn.ubuntu.com/3637-1/
https://usn.ubuntu.com/3839-1/
========================

Updated packages in core/updates_testing:
========================
wavpack-5.1.0-1.1.mga6
libwavpack1-5.1.0-1.1.mga6
libwavpack-devel-5.1.0-1.1.mga6

from wavpack-5.1.0-1.1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Assignee: rverschelde => qa-bugs

Comment 11 Lewis Smith 2019-01-21 21:14:18 CET
Some pointers:

Previous tests of normal usage:
 https://bugs.mageia.org/show_bug.cgi?id=20205#c7
You may need gstreamer1.0-wavpack also.

Test files from CVEs (not per CVE); see the start of host pages for what might happen:-

From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889276
 https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=889276;filename=poc.wav;msg=5
To run: $ wavpack -y poc.wav

From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889559:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=889559;filename=poc.wav;msg=5
To run: $ wavpack -y poc.wav

From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889274:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=889274;filename=poc.wav;msg=5
To run: $ wavpack -y poc.wav
[I wonder whether these 3 are all the same].

From: https://github.com/dbry/WavPack/issues/30:
 https://github.com/dbry/WavPack/files/1936236/wavpack_crash1.wav.tar.gz
To run: $ wavpack -y wavpack_crash1.wav

From: https://github.com/dbry/WavPack/issues/31:
 https://github.com/dbry/WavPack/files/1936248/wavpack_crash2.wav.tar.gz
To run: $ wavpack -y wavpack_crash2.wav

From: https://github.com/dbry/WavPack/issues/32:
 https://github.com/dbry/WavPack/files/1936256/wavpack_crash4.wav.tar.gz
To run: $ wavpack -y wavpack_crash4.wav

From: https://github.com/dbry/WavPack/issues/33:
 https://github.com/dbry/WavPack/files/1936263/wavpack_crash5.wav.tar.gz
To run: $ wavpack -y wavpack_crash5.wav

From: https://github.com/dbry/WavPack/issues/53:
 https://github.com/dbry/WavPack/files/2616193/wavpack_hangs.zip
To run: $ wavpack --blocksize=128 -h $FILE -o /tmp/test.wv -y

From: https://github.com/dbry/WavPack/issues/54:
 https://github.com/dbry/WavPack/files/2628142/crashes.zip
To run: $ wvunpack $FILE

I think we should concentrate on just these.

CC: (none) => lewyssmith

Comment 12 Len Lawrence 2019-01-21 21:21:40 CET
Re comment 11:
poc.wav.  It might be as well to number them as they are downloaded, just in case.

CC: (none) => tarazed25

Comment 13 Herman Viaene 2019-01-22 10:16:23 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues (added gstreamer1.0-wavpack to the installation)
At CLI:
$ wavpack -h 02Zapfenstreich.wav -o Zapf

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.

created Zapf.wv in 3.89 secs (lossless, 44.81%)   
Resulting Zapf.wv file plays OK in parole and is 19Mb compared to the original 34,4Mb which is according my calculator indeed 55.2% of the original.
Functionally OK with me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 14 Lewis Smith 2019-01-22 16:14:41 CET
Testing Mageia 6 x64, the test files.
(In reply to Len Lawrence from comment #12)
> Re comment 11:
> poc.wav.  It might be as well to number them as they are downloaded, just in
> case
Did! poc1|2|3.wav for the first three in order.

BEFORE update: wavpack-5.1.0-1.mga6     lib64wavpack1-5.1.0-1.mga6
AFTER update:  wavpack-5.1.0-1.1.mga6   lib64wavpack1-5.1.0-1.1.mga6.

1) Before:
 $ wavpack -y poc1.wav
 ...
 poc1.wav is not a valid .WAV file!    Not helpful.
After: Same, sigh.

2) Before:
 $ wavpack -y poc2.wav
 ...
 creating poc2.wv,Segmentation fault (core dumped)
After:
 $ wavpack -y poc2.wav
 ...
 poc2.wav is not a valid .DFF file!
GOOD.

3) Before:
 $ wavpack -y poc3.wav
 ...
 creating poc3.wv,Segmentation fault (core dumped)
After:
 $ wavpack -y poc3.wav
 ...
 poc3.wav is not a valid .CAF file!
GOOD.

4) Before:
 $ wavpack -y wavpack_crash1.wav
 ...
 creating wavpack_crash1.wv,*** Error in `wavpack': free(): invalid size: 
 0x0000000001d6d730 ***
 ======= Backtrace: =========
 ...
 Aborted (core dumped)
After:
 $ wavpack -y wavpack_crash1.wav
 ...
 wavpack_crash1.wav is not a valid .WAV file!
GOOD.

5) Before:
 $ wavpack -y wavpack_crash2.wav
 ...
 creating wavpack_crash2.wv,*** Error in `wavpack': double free or corruption (out): 0x00000000022a37c0 ***
 ======= Backtrace: =========
 ...
 Aborted (core dumped)
After:
 $ wavpack -y wavpack_crash2.wav
 ...
 wavpack_crash2.wav is not a valid .WAV file!                                
GOOD.

6) Before:
 $ wavpack -y wavpack_crash4.wav
 ...
 creating wavpack_crash4.wv,   0% done...*** Error in `wavpack': munmap_chunk(): invalid pointer: 0x00000000018b73e0 ***
 ======= Backtrace: =========
 ...
 Aborted (core dumped)
After:
 $ wavpack -y wavpack_crash4.wav
 ...
 wavpack_crash4.wav is not a valid .WAV file!
GOOD.

7) Before:
 wavpack -y wavpack_crash5.wav
 ...
 creating wavpack_crash5.wv,Segmentation fault (core dumped)
After:
 $ wavpack -y wavpack_crash5.wav
 ...
 wavpack_crash5.wav is not a valid .WAV file!
GOOD.

8) Before:
 $ wavpack --blocksize=128 -h h01.wav -o /tmp/test.wv -y
 ...
 creating /tmp/test.wv
Then it looped, taking I think 100%of a processor (50 of 2). Had to kill it from task manager, ^C did nothing.
After:
 $ wavpack --blocksize=128 -h h01.wav -o /tmp/test.wv -y
 ...
 h01.wav: sample rate cannot be zero!
GOOD.

9) Before:
 $ wavpack --blocksize=128 -h h02.wav -o /tmp/test.wv -y
 ...
 creating /tmp/test.wv,
 Same as test 8.
After:
 $ wavpack --blocksize=128 -h h02.wav -o /tmp/test.wv -y
 ...
 h02.wav: sample rate cannot be zero!
GOOD.

10) $ wvunpack c01.wv 
 ...
 not compatible with this version of WavPack file!
After:
 $ wvunpack c01.wv
Same, not helpful.

11) Before & after:
 $ wvunpack c02.wv
Same as 10, no use here.

12) Befire & after:
 $ wvunpack c03.wv
Same as 10, no use here.

So these tests were mostly good, else not reproduceable. Thanks to Herman for good usability test.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 15 Mageia Robot 2019-01-23 16:51:41 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0045.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.