Bug 1737747 (CVE-2019-1010317)

Summary: CVE-2019-1010317 wavpack: Use of uninitialized variable in ParseCaffHeaderConfig leads to DoS
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: lemenkov, mlichvar, rh-spice-bugs, tkorbar, valtri
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:33:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1737748, 1737749, 1737750, 1741251, 1741252    
Bug Blocks: 1737752    

Description Marian Rehak 2019-08-06 07:18:27 UTC 
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file.

Upstream Issue:

https://github.com/dbry/WavPack/issues/66

Upstream Patch:

https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b
Comment 1 Marian Rehak 2019-08-06 07:19:10 UTC 
Created mingw-wavpack tracking bugs for this issue:

Affects: epel-7 [bug 1737748]
Affects: fedora-all [bug 1737750]


Created wavpack tracking bugs for this issue:

Affects: fedora-all [bug 1737749]
Comment 6 Marco Benatto 2019-08-14 15:34:34 UTC 
When wavpack parses a a CAF file it doesn't properly validates whether a 'desc' chunck is present into CAF header. The lack of proper input validation lead to a further read from a uninitialized variable when trying to calculate the file data chunk size. This might cause confidentiality impact as the uninitialized variable contains data from stack, however the security impact for this flaw is very low as the improper read data is never exposed to an attacker.
Comment 7 Marco Benatto 2019-08-14 15:37:02 UTC 
Statement:

This issue affects wavpack versions as shipped with Red Hat Enterprise Linux 8. The security impact for this flaw was calculated as 'Low' by the Red Hat Product Security Team. Previous Red Hat Enterprise Linux versions are not affected as wavpack shipped with it doesn't support CAF file format, which is needed to reach the code where the flaw resides at.
Comment 8 errata-xmlrpc 2020-04-28 15:27:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1581 https://access.redhat.com/errata/RHSA-2020:1581
Comment 9 Product Security DevOps Team 2020-04-28 16:33:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-1010317