Ubuntu has issued an advisory on April 30: https://usn.ubuntu.com/3960-1/ Mageia 6 and Mageia 7 are also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
Assigning to our registered wavpack maintainer, CC'ing the most recent submitter.
Assignee: bugsquad => rverscheldeCC: (none) => geiger.david68210, marja11
Ubuntu has issued an advisory on July 16: https://usn.ubuntu.com/4062-1/
Summary: wavpack new security issue CVE-2019-11498 => wavpack new security issues CVE-2019-11498 and CVE-2019-101031[5789]
Done for mga6, mga7 and Cauldron!
Thanks David. I see that you patched CVE-2019-11498 in Cauldron in May but did not file a bug. Please always file a bug or let me know when fixing a security issue.
Version: Cauldron => 7Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Advisory (Mageia 6): ======================== Updated wavpack packages fixes security vulnerabilities: It was discovered that WavPack incorrectly handled certain DFF files. An attacker could possibly use this issue to cause a denial of service (CVE-2019-11498). Rohan Padhye discovered that WavPack incorrectly handled certain WAV files. An attacker could possibly use this issue to cause a denial of service (CVE-2019-1010315, CVE-2019-1010317, CVE-2019-1010318, CVE-2019-1010319). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11498 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010315 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010317 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010318 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010319 https://usn.ubuntu.com/3960-1/ https://usn.ubuntu.com/4062-1/ ======================== Updated packages in core/updates_testing: ======================== wavpack-5.1.0-1.2.mga6 libwavpack1-5.1.0-1.2.mga6 libwavpack-devel-5.1.0-1.2.mga6 from wavpack-5.1.0-1.2.mga6.src.rpm Advisory (Mageia 7): ======================== Updated wavpack packages fixes security vulnerabilities: Rohan Padhye discovered that WavPack incorrectly handled certain WAV files. An attacker could possibly use this issue to cause a denial of service (CVE-2019-1010315, CVE-2019-1010317, CVE-2019-1010318, CVE-2019-1010319). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010315 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010317 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010318 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010319 https://usn.ubuntu.com/4062-1/ ======================== Updated packages in core/updates_testing: ======================== wavpack-5.1.0-4.1.mga7 libwavpack1-5.1.0-4.1.mga7 libwavpack-devel-5.1.0-4.1.mga7 from wavpack-5.1.0-4.1.mga7.src.rpm
Assignee: rverschelde => qa-bugs
$ uname -a Linux localhost.localdomain 5.2.7-desktop-1.mga7 #1 SMP Wed Aug 7 10:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux - lib64wavpack1-5.1.0-4.1.mga7.x86_64 - wavpack-5.1.0-4.1.mga7.x86_64 [brian@localhost tmp]$ wavpack WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.1.0 Copyright (c) 1998 - 2017 David Bryant. All Rights Reserved. Usage: WAVPACK [-options] infile[.wav]|infile.ext|- [...] [-o outfile[.wv]|outpath|-] (default is lossless; multiple input files allowed) Formats: .wav (default, bwf/rf64 okay) .wv (transcode, with tags) .w64 (Sony Wave64) .caf (Core Audio Format) .dff (Philips DSDIFF) .dsf (Sony DSD stream) Options: -bn = enable hybrid compression, n = 2.0 to 23.9 bits/sample, or n = 24-9600 kbits/second (kbps) -c = create correction file (.wvc) for hybrid mode (=lossless) -f = fast mode (fast, but some compromise in compression ratio) -h = high quality (better compression ratio, but slower) -v = verify output file integrity after write (no pipes) -x = extra encode processing (no decoding speed penalty) --help = complete help Web: Visit www.wavpack.com for latest version and info [brian@localhost tmp]$ wavpack *.wav WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.1.0 Copyright (c) 1998 - 2017 David Bryant. All Rights Reserved. created 09 - Amin Bhatia - The Ship.wv in 0.82 secs (lossless, 62.90%) [brian@localhost tmp]$ ls -ltr total 39896 -rw-rw-r-- 1 brian brian 29795180 Oct 23 2017 '09 - Amin Bhatia - The Ship.wav' -rw-r--r-- 1 brian brian 11053130 Aug 20 20:57 '09 - Amin Bhatia - The Ship.wv' mplayer was able to play the *.wv file. This seems to be working so far. brian@localhost tmp]$ wvunpack *.wv WVUNPACK Hybrid Lossless Audio Decompressor Linux Version 5.1.0 Copyright (c) 1998 - 2017 David Bryant. All Rights Reserved. restored 09 - Amin Bhatia - The Ship.wav in 0.68 secs (lossless, 62.90%) [brian@localhost tmp]$ wvgain *.wv WVGAIN ReplayGain Scanner/Tagger for WavPack Linux Version 5.1.0 Copyright (c) 2005 - 2017 David Bryant. All Rights Reserved. replaygain_track_gain = +9.41 dB replaygain_track_peak = 0.252197 2 ReplayGain values appended I used wvtag -l to list out the attributes in the file. That seemed to work, no much there. All of this is working
CC: (none) => brtians1Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK
mga6, x86_64 In the middle of retrieving and testing POC files. Back later.
CC: (none) => tarazed25
mga6, x86_64 *Before update* CVE-2019-1010315 https://github.com/dbry/WavPack/issues/65 $ wavpack divzero.wav [...] creating divzero.wv,Floating point exception (core dumped) CVE-2019-1010317 https://github.com/dbry/WavPack/issues/66 $ wavpack uninit-caff.wav [...] .CAF file uninit-caff.wav has an invalid data chunk size, probably is corrupt! CVE-2019-1010318 -> CVE-2019-11498 https://github.com/dbry/WavPack/issues/67 $ valgrind wavpack uninit-config.wav [...] uninit-config.wav: sample rate cannot be zero! [...] CVE-2019-1010319 https://github.com/dbry/WavPack/issues/68 $ valgrind wavpack uninit-divzero-waveheader.wav [...] uninit-divzero-waveheader.wav is not a valid .W64 file! [...] *After update* CVE-2019-1010315 $ wavpack divzero.wav WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.1.0 Copyright (c) 1998 - 2017 David Bryant. All Rights Reserved. divzero.wav is not a valid .DFF file! <good result> CVE-2019-1010317 $ wavpack uninit-caff.wav [...] uninit-caff.wav is not a valid .CAF file! <good> CVE-2019-11498 $ valgrind wavpack uninit-config.wav The output contains: uninit-config.wav is not a valid .DFF file! <good> CVE-2019-1010319 $ valgrind wavpack uninit-divzero-waveheader.wav [...] uninit-divzero-waveheader.wav is not a valid .W64 file! [...] <good - as it was before the update> Passes on all the POC. *Utility tests* $ cd ~/tmp/music $ wavpack -h ASuiteOfTheatreMusic.wav WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.1.0 Copyright (c) 1998 - 2017 David Bryant. All Rights Reserved. created ASuiteOfTheatreMusic.wv in 1.62 secs (lossless, 51.74%) Sounds fine when run by mplayer. $ ll -rw-r--r-- 1 lcl lcl 84267500 Jun 27 2012 ASuiteOfTheatreMusic.wav -rw-r--r-- 1 lcl lcl 40666586 Aug 24 17:20 ASuiteOfTheatreMusic.wv $ wvunpack ASuiteOfTheatreMusic.wv WVUNPACK Hybrid Lossless Audio Decompressor Linux Version 5.1.0 Copyright (c) 1998 - 2017 David Bryant. All Rights Reserved. overwrite ASuiteOfTheatreMusic.wav (yes/no/all)? yes restored ASuiteOfTheatreMusic.wav in 1.40 secs (lossless, 51.74%) $ ll -rw-r--r-- 1 lcl lcl 84267500 Aug 24 17:28 ASuiteOfTheatreMusic.wav -rw-r--r-- 1 lcl lcl 40666586 Aug 24 17:20 ASuiteOfTheatreMusic.wv The restored WAV file played perfectly in mplayer.
Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => tmb, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0230.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0231.html