openSUSE has issued an advisory today (March 28): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MA3ZHJ2SJ5F7RD4MVUADLVJ2VXDS4AOS/ Mageia 8 is also affected.
Status comment: (none) => Patches available from upstream and openSUSEWhiteboard: (none) => MGA8TOO
This SRPM has been maintained by various packagers, so assigning this globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c, tainted variable cnt is too large, that makes pointer sptr read beyond heap bound. (CVE-2021-44269) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44269 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MA3ZHJ2SJ5F7RD4MVUADLVJ2VXDS4AOS/ ======================== Updated packages in core/updates_testing: ======================== lib(64)wavpack1-5.3.2-2.1.mga8 lib(64)wavpack-devel-5.3.2-2.1.mga8 wavpack-5.3.2-2.1.mga8 from SRPM: wavpack-5.3.2-2.1.mga8.src.rpm
Source RPM: wavpack-5.4.0-2.mga9.src.rpm => wavpack-5.3.2-2.mga8.src.rpmAssignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDCVE: (none) => CVE-2021-44269Whiteboard: MGA8TOO => (none)Status comment: Patches available from upstream and openSUSE => (none)Version: Cauldron => 8CC: (none) => nicolas.salguero
Investigated the PoC but not sure of how to test it. Apparently, only the cli program is affected. CVE-2021-44269 https://github.com/dbry/WavPack/issues/110 $ unzip crash.zip $ wavpack crash.wav WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.3.2 Copyright (c) 1998 - 2020 David Bryant. All Rights Reserved. warning: DSF file has non-integer bytes/second! Segmentation fault (core dumped) After updating: $ wavpack crash.wav WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.3.2 Copyright (c) 1998 - 2020 David Bryant. All Rights Reserved. crash.wav is not a valid .DSF file! Well and good. Followed Brian's notes at bug 25265 for testing. $ wavpack BoarsHeadCarol.wav WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.3.2 Copyright (c) 1998 - 2020 David Bryant. All Rights Reserved. created BoarsHeadCarol.wv in 0.22 secs (lossless, 39.69%) The wv output file sounded fine with mplayer. Copied it to a test directory and unpacked it there. $ wvunpack BoarsHeadCarol.wv WVUNPACK Hybrid Lossless Audio Decompressor Linux Version 5.3.2 Copyright (c) 1998 - 2020 David Bryant. All Rights Reserved. restored BoarsHeadCarol.wav in 0.20 secs (lossless, 39.69%) The restored file was exactly the same size as the original and played fine. As Brian noted, the wvtag utility does not supply any useful information. $ wvgain *.wv WVGAIN ReplayGain Scanner/Tagger for WavPack Linux Version 5.3.2 Copyright (c) 2005 - 2020 David Bryant. All Rights Reserved. replaygain_track_gain = -5.18 dB replaygain_track_peak = 0.988434 $ wvgain -c copy.wv WVGAIN ReplayGain Scanner/Tagger for WavPack Linux Version 5.3.2 Copyright (c) 2005 - 2020 David Bryant. All Rights Reserved. 2 ReplayGain values cleaned $ wvunpack copy.wv restored copy.wav in 0.19 secs (lossless, 39.69%) Difficult to detect any difference using mplayer. Anyway, this looks good.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0125.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED