Bug 1704633 (CVE-2019-11498) - CVE-2019-11498 wavpack: Use of uninitialized variable in WavpackSetConfiguration64 leads to DoS
Summary: CVE-2019-11498 wavpack: Use of uninitialized variable in WavpackSetConfigurat...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11498
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1704635 1704636 1704637 1707428 1707429
Blocks: 1704634
TreeView+ depends on / blocked
 
Reported: 2019-04-30 08:45 UTC by Dhananjay Arunesh
Modified: 2020-12-17 10:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:32:42 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1581 0 None None None 2020-04-28 15:27:48 UTC

Description Dhananjay Arunesh 2019-04-30 08:45:30 UTC
WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through
5.1.0 has a "Conditional jump or move depends on uninitialised value" condition,
which might allow attackers to cause a denial of service (application crash) via
a DFF file that lacks valid sample-rate data.

Reference:
https://github.com/dbry/WavPack/issues/67

Upstream commit:
https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4

Comment 1 Dhananjay Arunesh 2019-04-30 08:47:30 UTC
Created mingw-wavpack tracking bugs for this issue:

Affects: fedora-all [bug 1704635]


Created wavpack tracking bugs for this issue:

Affects: fedora-all [bug 1704636]

Comment 2 Dhananjay Arunesh 2019-04-30 08:47:52 UTC
Created mingw-wavpack tracking bugs for this issue:

Affects: epel-7 [bug 1704637]

Comment 9 Marco Benatto 2019-05-07 14:12:44 UTC
When reading dsdiff format header WavPack expects the file to has sample rate information,
if sanple rate property is missing in the file to be compressed dsdiff parser doesn't initialize it with any value.
The uninitialized variable is used further when configuring the encoding engine which may lead to unexpected behavior.

Comment 11 errata-xmlrpc 2020-04-28 15:27:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1581 https://access.redhat.com/errata/RHSA-2020:1581

Comment 12 Product Security DevOps Team 2020-04-28 16:32:42 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11498


Note You need to log in before you can comment on or make changes to this bug.