Bug 1704633 (CVE-2019-11498)

Summary: CVE-2019-11498 wavpack: Use of uninitialized variable in WavpackSetConfiguration64 leads to DoS
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: lemenkov, mlichvar, rh-spice-bugs, valtri
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:32:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1704635, 1704636, 1704637, 1707428, 1707429    
Bug Blocks: 1704634    

Description Dhananjay Arunesh 2019-04-30 08:45:30 UTC 
WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through
5.1.0 has a "Conditional jump or move depends on uninitialised value" condition,
which might allow attackers to cause a denial of service (application crash) via
a DFF file that lacks valid sample-rate data.

Reference:
https://github.com/dbry/WavPack/issues/67

Upstream commit:
https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4
Comment 1 Dhananjay Arunesh 2019-04-30 08:47:30 UTC 
Created mingw-wavpack tracking bugs for this issue:

Affects: fedora-all [bug 1704635]


Created wavpack tracking bugs for this issue:

Affects: fedora-all [bug 1704636]
Comment 2 Dhananjay Arunesh 2019-04-30 08:47:52 UTC 
Created mingw-wavpack tracking bugs for this issue:

Affects: epel-7 [bug 1704637]
Comment 9 Marco Benatto 2019-05-07 14:12:44 UTC 
When reading dsdiff format header WavPack expects the file to has sample rate information,
if sanple rate property is missing in the file to be compressed dsdiff parser doesn't initialize it with any value.
The uninitialized variable is used further when configuring the encoding engine which may lead to unexpected behavior.
Comment 11 errata-xmlrpc 2020-04-28 15:27:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1581 https://access.redhat.com/errata/RHSA-2020:1581
Comment 12 Product Security DevOps Team 2020-04-28 16:32:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11498