Bug 1737747 (CVE-2019-1010317) - CVE-2019-1010317 wavpack: use of uninitialized variable in ParseCaffHeaderConfig leads to DoS
Summary: CVE-2019-1010317 wavpack: use of uninitialized variable in ParseCaffHeaderCon...
Keywords:
Status: NEW
Alias: CVE-2019-1010317
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1741251 1741252 1737748 1737749 1737750
Blocks: 1737752
TreeView+ depends on / blocked
 
Reported: 2019-08-06 07:18 UTC by Marian Rehak
Modified: 2019-11-25 05:11 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2019-08-06 07:18:27 UTC
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file.

Upstream Issue:

https://github.com/dbry/WavPack/issues/66

Upstream Patch:

https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b

Comment 1 Marian Rehak 2019-08-06 07:19:10 UTC
Created mingw-wavpack tracking bugs for this issue:

Affects: epel-7 [bug 1737748]
Affects: fedora-all [bug 1737750]


Created wavpack tracking bugs for this issue:

Affects: fedora-all [bug 1737749]

Comment 6 Marco Benatto 2019-08-14 15:34:34 UTC
When wavpack parses a a CAF file it doesn't properly validates whether a 'desc' chunck is present into CAF header. The lack of proper input validation lead to a further read from a uninitialized variable when trying to calculate the file data chunk size. This might cause confidentiality impact as the uninitialized variable contains data from stack, however the security impact for this flaw is very low as the improper read data is never exposed to an attacker.

Comment 7 Marco Benatto 2019-08-14 15:37:02 UTC
Statement:

This issue affects wavpack versions as shipped with Red Hat Enterprise Linux 8. The security impact for this flaw was calculated as 'Low' by the Red Hat Product Security Team. Previous Red Hat Enterprise Linux versions are not affected as wavpack shipped with it doesn't support CAF file format, which is needed to reach the code where the flaw resides at.


Note You need to log in before you can comment on or make changes to this bug.