WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. Upstream Issue: https://github.com/dbry/WavPack/issues/66 Upstream Patch: https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b
Created mingw-wavpack tracking bugs for this issue: Affects: epel-7 [bug 1737748] Affects: fedora-all [bug 1737750] Created wavpack tracking bugs for this issue: Affects: fedora-all [bug 1737749]
When wavpack parses a a CAF file it doesn't properly validates whether a 'desc' chunck is present into CAF header. The lack of proper input validation lead to a further read from a uninitialized variable when trying to calculate the file data chunk size. This might cause confidentiality impact as the uninitialized variable contains data from stack, however the security impact for this flaw is very low as the improper read data is never exposed to an attacker.
Statement: This issue affects wavpack versions as shipped with Red Hat Enterprise Linux 8. The security impact for this flaw was calculated as 'Low' by the Red Hat Product Security Team. Previous Red Hat Enterprise Linux versions are not affected as wavpack shipped with it doesn't support CAF file format, which is needed to reach the code where the flaw resides at.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1581 https://access.redhat.com/errata/RHSA-2020:1581
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-1010317