Bug 672638 (CVE-2018-19840, CVE-2018-19841, CVE-2019-11498)

Summary:	<media-sound/wavpack-5.3.2: Multiple vulnerabilities (CVE-2018-{19840,19841}, CVE-2019-11498)
Product:	Gentoo Security	Reporter:	Vlad K. <vk-gentoo-bugs>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	ajak, sound
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/dbry/WavPack/issues?q=53+or+54
See Also:	https://github.com/gentoo/gentoo/pull/16621
Whiteboard:	B3 [glsa+ cve]
Package list:	media-sound/wavpack-5.3.2	Runtime testing required:	---

Description Vlad K. 2018-12-06 17:33:32 UTC

* CVE-2018-19840

  https://github.com/dbry/WavPack/issues/53
  
  "The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack
  through 5.1.0 allows attackers to cause a denial-of-service (resource
  exhaustion caused by an infinite loop) via a crafted wav audio file because
  WavpackSetConfiguration64 mishandles a sample rate of zero." -- CVE listing
  

* CVE-2018-19841

  https://github.com/dbry/WavPack/issues/54
  
  "The function WavpackVerifySingleBlock in open_utils.c in libwavpack.a in
  WavPack through 5.1.0 allows attackers to cause a denial-of-service
  (out-of-bounds read and application crash) via a crafted WavPack Lossless
  Audio file, as demonstrated by wvunpack." -- CVE listing

Comment 1 Vlad K. 2018-12-06 17:42:56 UTC

The linked issues contain upstream patches/fixes, though there's no new upstream release, missed to add them in the original post above.

* Issue 53, CVE-2018-19840:

  https://github.com/dbry/WavPack/commit/070ef6f138956d9ea9612e69586152339dbefe51


* Issue 54, CVE-2018-19841

  https://github.com/dbry/WavPack/commit/bba5389dc598a92bdf2b297c3ea34620b6679b5b


--
Gentoo Security Scout
Vladimir Krstulja

Comment 2 Yury German Gentoo Infrastructure

2019-04-27 20:26:48 UTC

Maintainer(s), please take a look. Fixed by Debian in media-sound/wavpack - 5.1.0-5

Comment 3 Sam James archtester

2020-03-15 22:08:27 UTC

(In reply to Yury German from comment #2)
> Maintainer(s), please take a look. Fixed by Debian in media-sound/wavpack -
> 5.1.0-5

Patches from linked issues:
https://github.com/dbry/WavPack/commit/bba5389dc598a92bdf2b297c3ea34620b6679b5b
https://github.com/dbry/WavPack/commit/070ef6f138956d9ea9612e69586152339dbefe51

@maintainers: can you apply these or bump ebuild? (5.2.0 looks like it may fix others too).

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2020-04-23 21:39:41 UTC

CVE-2019-11498 (https://nvd.nist.gov/vuln/detail/CVE-2019-11498):
  WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through
  5.1.0 has a "Conditional jump or move depends on uninitialised value"
  condition, which might allow attackers to cause a denial of service
  (application crash) via a DFF file that lacks valid sample-rate data.

Comment 5 John Helmert III archtester

2020-07-06 23:49:11 UTC

(In reply to GLSAMaker/CVETool Bot from comment #4)
> CVE-2019-11498 (https://nvd.nist.gov/vuln/detail/CVE-2019-11498):
>   WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack
> through
>   5.1.0 has a "Conditional jump or move depends on uninitialised value"
>   condition, which might allow attackers to cause a denial of service
>   (application crash) via a DFF file that lacks valid sample-rate data.

Patch: https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4

This patch and the others are all in 5.2 onward.

Comment 6 Larry the Git Cow gentoo-dev

2020-07-20 18:24:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c776c386637618b5b9f951d6a13251b7200bf9ef

commit c776c386637618b5b9f951d6a13251b7200bf9ef
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-07-07 00:20:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-20 18:24:41 +0000

    media-sound/wavpack: Security bump to 5.3.2
    
    This also fixes tests. Previously `make check` successfully executed
    but didn't run any tests.
    
    Bug: https://bugs.gentoo.org/672638
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-sound/wavpack/Manifest             |  1 +
 media-sound/wavpack/wavpack-5.3.2.ebuild | 45 ++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)

Comment 7 Sam James archtester

2020-07-23 13:05:34 UTC

arm stable

Comment 8 Sam James archtester

2020-07-23 13:34:13 UTC

arm64 stable

Comment 9 Sam James archtester

2020-07-23 22:01:05 UTC

amd64 stable

Comment 10 Sam James archtester

2020-07-24 06:37:59 UTC

sparc stable

Comment 11 Sam James archtester

2020-07-24 06:40:54 UTC

ppc{,64} stable

Comment 12 Sam James archtester

2020-07-24 21:53:40 UTC

x86 stable. Please cleanup.

Comment 13 Sam James archtester

2020-07-26 15:20:22 UTC

GLSA vote: yes

Comment 14 Larry the Git Cow gentoo-dev

2020-07-26 23:50:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2e68905da8b5386264e1f66551494b75a63f1c4

commit e2e68905da8b5386264e1f66551494b75a63f1c4
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-07-26 23:49:29 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-07-26 23:49:29 +0000

    media-sound/wavpack: security cleanup
    
    Bug: https://bugs.gentoo.org/672638
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 media-sound/wavpack/Manifest                |  1 -
 media-sound/wavpack/wavpack-5.1.0-r1.ebuild | 41 -----------------------------
 2 files changed, 42 deletions(-)

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2020-07-27 00:04:07 UTC

This issue was resolved and addressed in
 GLSA 202007-19 at https://security.gentoo.org/glsa/202007-19
by GLSA coordinator Sam James (sam_c).