Bug 1737747 (CVE-2019-1010317) - CVE-2019-1010317 wavpack: Use of uninitialized variable in ParseCaffHeaderConfig leads to DoS
Summary: CVE-2019-1010317 wavpack: Use of uninitialized variable in ParseCaffHeaderCon...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-1010317
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1741252 1737748 1737749 1737750 1741251
Blocks: 1737752
TreeView+ depends on / blocked
 
Reported: 2019-08-06 07:18 UTC by Marian Rehak
Modified: 2020-04-28 16:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:33:42 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1581 None None None 2020-04-28 15:27:53 UTC

Description Marian Rehak 2019-08-06 07:18:27 UTC
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file.

Upstream Issue:

https://github.com/dbry/WavPack/issues/66

Upstream Patch:

https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b

Comment 1 Marian Rehak 2019-08-06 07:19:10 UTC
Created mingw-wavpack tracking bugs for this issue:

Affects: epel-7 [bug 1737748]
Affects: fedora-all [bug 1737750]


Created wavpack tracking bugs for this issue:

Affects: fedora-all [bug 1737749]

Comment 6 Marco Benatto 2019-08-14 15:34:34 UTC
When wavpack parses a a CAF file it doesn't properly validates whether a 'desc' chunck is present into CAF header. The lack of proper input validation lead to a further read from a uninitialized variable when trying to calculate the file data chunk size. This might cause confidentiality impact as the uninitialized variable contains data from stack, however the security impact for this flaw is very low as the improper read data is never exposed to an attacker.

Comment 7 Marco Benatto 2019-08-14 15:37:02 UTC
Statement:

This issue affects wavpack versions as shipped with Red Hat Enterprise Linux 8. The security impact for this flaw was calculated as 'Low' by the Red Hat Product Security Team. Previous Red Hat Enterprise Linux versions are not affected as wavpack shipped with it doesn't support CAF file format, which is needed to reach the code where the flaw resides at.

Comment 8 errata-xmlrpc 2020-04-28 15:27:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1581 https://access.redhat.com/errata/RHSA-2020:1581

Comment 9 Product Security DevOps Team 2020-04-28 16:33:42 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-1010317


Note You need to log in before you can comment on or make changes to this bug.