Bug 1729418 (CVE-2019-1010315)

Summary: CVE-2019-1010315 wavpack: Divide by zero in ParseDsdiffHeaderConfig leads to crash
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: lemenkov, mlichvar, rh-spice-bugs, tkorbar, valtri
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:33:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1729419, 1729420, 1729421, 1733627, 1733628    
Bug Blocks: 1729422    

Description Marian Rehak 2019-07-12 08:43:01 UTC 
WavPack 5.1 and earlier in component ParseDsdiffHeaderConfig (dsdiff.c:282) has a Divide by Zero, leading to sudden crash of a software/service that tries to parse a maliciously crafted .wav file.

Upstream issue:

https://github.com/dbry/WavPack/issues/65

Upstream fix:

https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc
Comment 1 Marian Rehak 2019-07-12 08:43:21 UTC 
Created mingw-wavpack tracking bugs for this issue:

Affects: epel-7 [bug 1729421]
Affects: fedora-all [bug 1729420]


Created wavpack tracking bugs for this issue:

Affects: fedora-all [bug 1729419]
Comment 7 Marco Benatto 2019-08-09 16:07:55 UTC 
Statement:

This issue affects WackPack version as shipped with Red Hat Enterprise Linux 8 and was classified with 'Low' security impact by Red Hat Product Security team.
Red Hat Enterprise Linux 6 and 7 are not affected as WavPack shipped with both system versions doesn't provide support for DSD files.
Comment 9 Marco Benatto 2019-08-09 18:25:31 UTC 
When parsing the dsdiff header the wavpack application tries to extract the number of channels the input file has, however this value is not validated before being used. This error can be exploited by crafting a special input file as the channel count will be used later causing a 'division by zero' error leading to DoS. It's a low impact security issue as requires user interaction and only the single run of wavpack will be affected.
Comment 10 Sergio Basto 2019-11-13 03:53:40 UTC 
Fedora package is fixed , nothing that I can do here
Comment 11 errata-xmlrpc 2020-04-28 15:27:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1581 https://access.redhat.com/errata/RHSA-2020:1581
Comment 12 Product Security DevOps Team 2020-04-28 16:33:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-1010315