835081 – (CVE-2021-44269, CVE-2022-2476) <media-sound/wavpack-5.5.0: oob read

Bug 835081 (CVE-2021-44269, CVE-2022-2476) - <media-sound/wavpack-5.5.0: oob read

Summary: <media-sound/wavpack-5.5.0: oob read

Status:	RESOLVED FIXED

Alias:	CVE-2021-44269, CVE-2022-2476

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/dbry/WavPack/issue...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:	857852
Blocks:
	Show dependency tree

Reported:	2022-03-13 14:20 UTC by John Helmert III
Modified:	2022-07-20 00:58 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-03-13 14:20:51 UTC

CVE-2021-44269:

An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c, tainted variable cnt is too large, that makes pointer sptr read beyond heap bound.

Patch: https://github.com/dbry/WavPack/commit/773f9d0803c6888ae7d5391878d7337f24216f4a

Comment 1 Larry the Git Cow gentoo-dev

2022-07-09 12:39:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5ae33de3b6c7c8c78df1f7db8b4b0bf3f2d2b65

commit c5ae33de3b6c7c8c78df1f7db8b4b0bf3f2d2b65
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2022-07-09 12:39:18 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2022-07-09 12:39:18 +0000

    media-sound/wavpack: add 5.5.0
    
    Bug: https://bugs.gentoo.org/773955
    Bug: https://bugs.gentoo.org/835081
    Signed-off-by: David Seifert <soap@gentoo.org>

 media-sound/wavpack/Manifest             |  1 +
 media-sound/wavpack/wavpack-5.5.0.ebuild | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+)

Comment 2 John Helmert III archtester

2022-07-09 15:17:24 UTC

Thanks! Please stable when ready

Comment 3 Larry the Git Cow gentoo-dev

2022-07-14 07:09:30 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=52d1f7a9200eb23cbbb584c0ba03f031a3a1734b

commit 52d1f7a9200eb23cbbb584c0ba03f031a3a1734b
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-07-14 07:09:19 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-07-14 07:09:19 +0000

    media-sound/wavpack: dropped obsolete 5.4.0
    
    Closes: https://bugs.gentoo.org/773955
    Bug: https://bugs.gentoo.org/835081
    Bug: https://bugs.gentoo.org/857852
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 media-sound/wavpack/Manifest             |  1 -
 media-sound/wavpack/wavpack-5.4.0.ebuild | 36 --------------------------------
 2 files changed, 37 deletions(-)

Comment 4 Miroslav Šulc gentoo-dev

2022-07-14 07:10:23 UTC

the tree is clean now, you can proceed

Comment 5 John Helmert III archtester

2022-07-15 00:03:40 UTC

Thanks! No apparent exploitability, no GLSA. All done!

Comment 6 John Helmert III archtester

2022-07-20 00:58:01 UTC

CVE-2022-2476 (https://github.com/dbry/WavPack/issues/121):

A null pointer dereference bug was found in wavpack-5.4.0 The results from the ASAN log: AddressSanitizer:DEADLYSIGNAL ===================================================================84257==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x561b47a970c6 bp 0x7fff13952fb0 sp 0x7fff1394fca0 T0) ==84257==The signal is caused by a WRITE memory access. ==84257==Hint: address points to the zero page. #0 0x561b47a970c5 in main cli/wvunpack.c:834 #1 0x7efc4f5c0082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #2 0x561b47a945ed in _start (/usr/local/bin/wvunpack+0xa5ed) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV cli/wvunpack.c:834 in main ==84257==ABORTING