Security update for wavpack SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0153-1 Final 1 1 2021-01-24T17:22:03Z current 2021-01-24T17:22:03Z 2021-01-24T17:22:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for wavpack This update for wavpack fixes the following issues: - Update to version 5.4.0 * CVE-2020-35738: Fixed an out-of-bounds write in WavpackPackSamples (bsc#1180414) * fixed: disable A32 asm code when building for Apple silicon * fixed: issues with Adobe-style floating-point WAV files * added: --normalize-floats option to wvunpack for correctly exporting un-normalized floating-point files - Update to version 5.3.0 * fixed: OSS-Fuzz issues 19925, 19928, 20060, 20448 * fixed: trailing garbage characters on imported ID3v2 TXXX tags * fixed: various minor undefined behavior and memory access issues * fixed: sanitize tag extraction names for length and path inclusion * improved: reformat wvunpack 'help' and split into long + short versions * added: regression testing to Travis CI for OSS-Fuzz crashers - Updated to version 5.2.0 *fixed: potential security issues including the following CVEs: CVE-2018-19840, CVE-2018-19841, CVE-2018-10536 (bsc#1091344), CVE-2018-10537 (bsc#1091343) CVE-2018-10538 (bsc#1091342), CVE-2018-10539 (bsc#1091341), CVE-2018-10540 (bsc#1091340), CVE-2018-7254, CVE-2018-7253, CVE-2018-6767, CVE-2019-11498 and CVE-2019-1010319 * added: support for CMake, Travis CI, and Google's OSS-fuzz * fixed: use correction file for encode verify (pipe input, Windows) * fixed: correct WAV header with actual length (pipe input, -i option) * fixed: thumb interworking and not needing v6 architecture (ARM asm) * added: handle more ID3v2.3 tag items and from all file types * fixed: coredump on Sparc64 (changed MD5 implementation) * fixed: handle invalid ID3v2.3 tags from sacd-ripper * fixed: several corner-case memory leaks This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-153 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK4DH6BBB2WPBM677O7MFUOO5UBKUW37/ E-Mail link for openSUSE-SU-2021:0153-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1091340 SUSE Bug 1091340 https://bugzilla.suse.com/1091341 SUSE Bug 1091341 https://bugzilla.suse.com/1091342 SUSE Bug 1091342 https://bugzilla.suse.com/1091343 SUSE Bug 1091343 https://bugzilla.suse.com/1091344 SUSE Bug 1091344 https://bugzilla.suse.com/1180414 SUSE Bug 1180414 https://www.suse.com/security/cve/CVE-2018-10536/ SUSE CVE CVE-2018-10536 page https://www.suse.com/security/cve/CVE-2018-10537/ SUSE CVE CVE-2018-10537 page https://www.suse.com/security/cve/CVE-2018-10538/ SUSE CVE CVE-2018-10538 page https://www.suse.com/security/cve/CVE-2018-10539/ SUSE CVE CVE-2018-10539 page https://www.suse.com/security/cve/CVE-2018-10540/ SUSE CVE CVE-2018-10540 page https://www.suse.com/security/cve/CVE-2018-19840/ SUSE CVE CVE-2018-19840 page https://www.suse.com/security/cve/CVE-2018-19841/ SUSE CVE CVE-2018-19841 page https://www.suse.com/security/cve/CVE-2018-6767/ SUSE CVE CVE-2018-6767 page https://www.suse.com/security/cve/CVE-2018-7253/ SUSE CVE CVE-2018-7253 page https://www.suse.com/security/cve/CVE-2018-7254/ SUSE CVE CVE-2018-7254 page https://www.suse.com/security/cve/CVE-2019-1010319/ SUSE CVE CVE-2019-1010319 page https://www.suse.com/security/cve/CVE-2019-11498/ SUSE CVE CVE-2019-11498 page https://www.suse.com/security/cve/CVE-2020-35738/ SUSE CVE CVE-2020-35738 page openSUSE Leap 15.2 libwavpack1-5.4.0-lp152.7.3.1 libwavpack1-32bit-5.4.0-lp152.7.3.1 wavpack-5.4.0-lp152.7.3.1 wavpack-devel-5.4.0-lp152.7.3.1 libwavpack1-5.4.0-lp152.7.3.1 as a component of openSUSE Leap 15.2 libwavpack1-32bit-5.4.0-lp152.7.3.1 as a component of openSUSE Leap 15.2 wavpack-5.4.0-lp152.7.3.1 as a component of openSUSE Leap 15.2 wavpack-devel-5.4.0-lp152.7.3.1 as a component of openSUSE Leap 15.2 An issue was discovered in WavPack 5.1.0 and earlier. The WAV parser component contains a vulnerability that allows writing to memory because ParseRiffHeaderConfig in riff.c does not reject multiple format chunks. CVE-2018-10536 openSUSE Leap 15.2:libwavpack1-32bit-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:libwavpack1-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-devel-5.4.0-lp152.7.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK4DH6BBB2WPBM677O7MFUOO5UBKUW37/ https://www.suse.com/security/cve/CVE-2018-10536.html CVE-2018-10536 https://bugzilla.suse.com/1091344 SUSE Bug 1091344 An issue was discovered in WavPack 5.1.0 and earlier. The W64 parser component contains a vulnerability that allows writing to memory because ParseWave64HeaderConfig in wave64.c does not reject multiple format chunks. CVE-2018-10537 openSUSE Leap 15.2:libwavpack1-32bit-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:libwavpack1-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-devel-5.4.0-lp152.7.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK4DH6BBB2WPBM677O7MFUOO5UBKUW37/ https://www.suse.com/security/cve/CVE-2018-10537.html CVE-2018-10537 https://bugzilla.suse.com/1091343 SUSE Bug 1091343 An issue was discovered in WavPack 5.1.0 and earlier for WAV input. Out-of-bounds writes can occur because ParseRiffHeaderConfig in riff.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation. CVE-2018-10538 openSUSE Leap 15.2:libwavpack1-32bit-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:libwavpack1-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-devel-5.4.0-lp152.7.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK4DH6BBB2WPBM677O7MFUOO5UBKUW37/ https://www.suse.com/security/cve/CVE-2018-10538.html CVE-2018-10538 https://bugzilla.suse.com/1091342 SUSE Bug 1091342 An issue was discovered in WavPack 5.1.0 and earlier for DSDiff input. Out-of-bounds writes can occur because ParseDsdiffHeaderConfig in dsdiff.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation. CVE-2018-10539 openSUSE Leap 15.2:libwavpack1-32bit-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:libwavpack1-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-devel-5.4.0-lp152.7.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK4DH6BBB2WPBM677O7MFUOO5UBKUW37/ https://www.suse.com/security/cve/CVE-2018-10539.html CVE-2018-10539 https://bugzilla.suse.com/1091341 SUSE Bug 1091341 An issue was discovered in WavPack 5.1.0 and earlier for W64 input. Out-of-bounds writes can occur because ParseWave64HeaderConfig in wave64.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation. CVE-2018-10540 openSUSE Leap 15.2:libwavpack1-32bit-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:libwavpack1-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-devel-5.4.0-lp152.7.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK4DH6BBB2WPBM677O7MFUOO5UBKUW37/ https://www.suse.com/security/cve/CVE-2018-10540.html CVE-2018-10540 https://bugzilla.suse.com/1091340 SUSE Bug 1091340 The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero. CVE-2018-19840 openSUSE Leap 15.2:libwavpack1-32bit-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:libwavpack1-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-devel-5.4.0-lp152.7.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK4DH6BBB2WPBM677O7MFUOO5UBKUW37/ https://www.suse.com/security/cve/CVE-2018-19840.html CVE-2018-19840 https://bugzilla.suse.com/1120930 SUSE Bug 1120930 The function WavpackVerifySingleBlock in open_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (out-of-bounds read and application crash) via a crafted WavPack Lossless Audio file, as demonstrated by wvunpack. CVE-2018-19841 openSUSE Leap 15.2:libwavpack1-32bit-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:libwavpack1-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-devel-5.4.0-lp152.7.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK4DH6BBB2WPBM677O7MFUOO5UBKUW37/ https://www.suse.com/security/cve/CVE-2018-19841.html CVE-2018-19841 https://bugzilla.suse.com/1120929 SUSE Bug 1120929 A stack-based buffer over-read in the ParseRiffHeaderConfig function of cli/riff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service attack or possibly have unspecified other impact via a maliciously crafted RF64 file. CVE-2018-6767 openSUSE Leap 15.2:libwavpack1-32bit-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:libwavpack1-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-devel-5.4.0-lp152.7.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK4DH6BBB2WPBM677O7MFUOO5UBKUW37/ https://www.suse.com/security/cve/CVE-2018-6767.html CVE-2018-6767 https://bugzilla.suse.com/1079746 SUSE Bug 1079746 The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (heap-based buffer over-read) or possibly overwrite the heap via a maliciously crafted DSDIFF file. CVE-2018-7253 openSUSE Leap 15.2:libwavpack1-32bit-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:libwavpack1-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-devel-5.4.0-lp152.7.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK4DH6BBB2WPBM677O7MFUOO5UBKUW37/ https://www.suse.com/security/cve/CVE-2018-7253.html CVE-2018-7253 https://bugzilla.suse.com/1081692 SUSE Bug 1081692 The ParseCaffHeaderConfig function of the cli/caff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (global buffer over-read), or possibly trigger a buffer overflow or incorrect memory allocation, via a maliciously crafted CAF file. CVE-2018-7254 openSUSE Leap 15.2:libwavpack1-32bit-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:libwavpack1-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-devel-5.4.0-lp152.7.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK4DH6BBB2WPBM677O7MFUOO5UBKUW37/ https://www.suse.com/security/cve/CVE-2018-7254.html CVE-2018-7254 https://bugzilla.suse.com/1081693 SUSE Bug 1081693 WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseWave64HeaderConfig (wave64.c:211). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe. CVE-2019-1010319 openSUSE Leap 15.2:libwavpack1-32bit-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:libwavpack1-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-devel-5.4.0-lp152.7.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK4DH6BBB2WPBM677O7MFUOO5UBKUW37/ https://www.suse.com/security/cve/CVE-2019-1010319.html CVE-2019-1010319 https://bugzilla.suse.com/1141334 SUSE Bug 1141334 WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through 5.1.0 has a "Conditional jump or move depends on uninitialised value" condition, which might allow attackers to cause a denial of service (application crash) via a DFF file that lacks valid sample-rate data. CVE-2019-11498 openSUSE Leap 15.2:libwavpack1-32bit-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:libwavpack1-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-devel-5.4.0-lp152.7.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK4DH6BBB2WPBM677O7MFUOO5UBKUW37/ https://www.suse.com/security/cve/CVE-2019-11498.html CVE-2019-11498 https://bugzilla.suse.com/1133384 SUSE Bug 1133384 WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples in pack_utils.c because of an integer overflow in a malloc argument. NOTE: some third-parties claim that there are later "unofficial" releases through 5.3.2, which are also affected. CVE-2020-35738 openSUSE Leap 15.2:libwavpack1-32bit-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:libwavpack1-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-5.4.0-lp152.7.3.1 openSUSE Leap 15.2:wavpack-devel-5.4.0-lp152.7.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EK4DH6BBB2WPBM677O7MFUOO5UBKUW37/ https://www.suse.com/security/cve/CVE-2020-35738.html CVE-2020-35738 https://bugzilla.suse.com/1180414 SUSE Bug 1180414