Ubuntu has issued an advisory on January 6: https://ubuntu.com/security/notices/USN-4682-1 Mageia 7 is also affected.
Status comment: (none) => Patch available from upstream and UbuntuWhiteboard: (none) => MGA7TOO
Fix pushed in mga 8
Version: Cauldron => 7CC: (none) => mageiaWhiteboard: MGA7TOO => (none)
Fixed in wavpack-5.3.2-2.mga8. Mageia 7 fix can be pulled from wavpack-5.1.0-2ubuntu1.5 for Ubuntu 18.04.
Assigning this to NicolasL as already dealing with it. CC'ing DavidG as another past committer.
Assignee: bugsquad => mageiaCC: (none) => geiger.david68210
Fedora has issued an advisory for this today (January 21): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2YZLKYE66EU4XRHTABV5LB2G7ZDZ422F/ The fix is upstream in 5.4.0.
Advisory: ======================== Updated wavpack packages fix security vulnerability: WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples in pack_utils.c because of an integer overflow in a malloc argument (CVE-2020-35738). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35738 https://ubuntu.com/security/notices/USN-4682-1 ======================== Updated packages in core/updates_testing: ======================== wavpack-5.1.0-4.2.mga7 libwavpack1-5.1.0-4.2.mga7 libwavpack-devel-5.1.0-4.2.mga7 from wavpack-5.1.0-4.2.mga7.src.rpm
Assignee: mageia => qa-bugsStatus comment: Patch available from upstream and Ubuntu => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues Ref bug 22588 for test, so installed gstreamer1.0-wavpack as well. At CLI $ wavpack -h 02\ Zapfenstreich.wav -o Zapf WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.1.0 Copyright (c) 1998 - 2017 David Bryant. All Rights Reserved. created Zapf.wv in 1.22 secs (lossless, 44.81%) The resulting Zapf.wv file plays OK and its size is 18.1 Mb compared to the original 32.8, which is 55.18292 % on my calculator, which fits the reported compression nicely. OK for me.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 5.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => ouaurelienCVE: (none) => CVE-2020-35738
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0271.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED