Bug 30713 - wavpack new security issue CVE-2022-2476
Summary: wavpack new security issue CVE-2022-2476
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-08-05 18:47 CEST by David Walser
Modified: 2022-08-20 12:05 CEST (History)
5 users (show)

See Also:
Source RPM: wavpack-5.4.0-3.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-08-05 18:47:04 CEST 
SUSE has issued an advisory today (August 5):
https://lists.suse.com/pipermail/sle-security-updates/2022-August/011810.html

The issue is fixed upstream in 5.5.0.

Mageia 8 is also affected.
David Walser 2022-08-05 18:47:14 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 5.5.0

Comment 2 Lewis Smith 2022-08-06 21:18:52 CEST 
No particular packager in view for this, so reluctantly assigning it globally - another one.

Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2022-08-08 15:56:09 CEST 
Updated packages uploaded for Mageia 8 and Cauldron by Nicolas.

libwavpack-devel-5.5.0-1.mga8
libwavpack1-5.5.0-1.mga8
wavpack-5.5.0-1.mga8

from wavpack-5.5.0-1.mga8.src.rpm

CC: (none) => mageia
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 5.5.0 => (none)

Comment 4 Len Lawrence 2022-08-16 12:37:19 CEST 
Updated the three packages for Mageia8, x86_64.
Followed lead set by Brian.
$ wavpack LammasTide.wav
 WAVPACK  Hybrid Lossless Audio Compressor  linux-gnu Version 5.5.0
 Copyright (c) 1998 - 2022 David Bryant.  All Rights Reserved.
created LammasTide.wv in 0.60 secs (lossless, 47.73%)

The packed wv file played fine in mplayer.  Size 52% of original.
Unpacked the file:
$ wvunpack LammasTide.wv
The restored file was exactly the same size as the original.

$ ls -l Lammastide.wv
-rw-r--r-- 1 lcl lcl 15927726 Aug 16 09:31 LammasTide.wv
$ wvgain LammasTide.wv
 WVGAIN  ReplayGain Scanner/Tagger for WavPack  linux-gnu Version 5.5.0
 Copyright (c) 2005 - 2022 David Bryant.  All Rights Reserved.
replaygain_track_gain = -3.45 dB                                
replaygain_track_peak = 0.853210                                
2 ReplayGain values appended                                
$ ls -l LammasTide.wv
-rw-r--r-- 1 lcl lcl 15927866 Aug 16 10:37 LammasTide.wv
mplayer OK with that but no difference to the ear.
$ wvtag -l LammasTide.wv
 WVTAG  WavPack Metadata Tagging Utility  linux-gnu Version 5.5.0
 Copyright (c) 2018 - 2022 David Bryant.  All Rights Reserved.

APEv2 tag items:   2 (140 bytes used)
replaygain_track_gain: -3.45 dB
replaygain_track_peak: 0.853210

140 bytes is the difference in size of the wv file before and afterwards.
$ wvtag -x replaygain_track_gain LammasTide.wv
 WVTAG  WavPack Metadata Tagging Utility  linux-gnu Version 5.5.0
 Copyright (c) 2018 - 2022 David Bryant.  All Rights Reserved.
-3.45 dB 
$ cp LammasTide.wv lammastide.wv
$ wvgain -s lammastide.wv
replaygain_track_gain = -3.45 dB
replaygain_track_peak = 0.853210
$ wvgain -c lammastide.wv
2 ReplayGain values cleaned                                
$ wvgain -s lammastide.wv
no ReplayGain values found

Leaving it there.  Seems to work alright.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-08-17 14:33:05 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-08-20 02:59:09 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-08-20 12:05:41 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0291.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.