Bug#932060: marked as done (wavpack: CVE-2019-1010317)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bug#932060: marked as done (wavpack: CVE-2019-1010317)

Debian Bug Tracking System
Your message dated Sun, 14 Jul 2019 19:35:20 +0000
with message-id <[hidden email]>
and subject line Bug#932060: fixed in wavpack 5.1.0-7
has caused the Debian Bug report #932060,
regarding wavpack: CVE-2019-1010317
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [hidden email]
immediately.)


--
932060: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932060
Debian Bug Tracking System
Contact [hidden email] with problems

Source: wavpack
Version: 5.1.0-6
Severity: important
Tags: security upstream
Forwarded: https://github.com/dbry/WavPack/issues/66

Hi,

The following vulnerability was published for wavpack.

CVE-2019-1010317[0]:
| WavPack 5.1.0 and earlier is affected by: CWE-457: Use of
| Uninitialized Variable. The impact is: Unexpected control flow,
| crashes, and segfaults. The component is: ParseCaffHeaderConfig
| (caff.c:486). The attack vector is: Maliciously crafted .wav file. The
| fixed version is: After commit https://github.com/dbry/WavPack/commit/
| f68a9555b548306c5b1ee45199ccdc4a16a6101b.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-1010317
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010317
[1] https://github.com/dbry/WavPack/issues/66
[2] https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Source: wavpack
Source-Version: 5.1.0-7

We believe that the bug you reported is fixed in the latest version of
wavpack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [hidden email],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <[hidden email]> (supplier of updated wavpack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [hidden email])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 14 Jul 2019 21:10:51 +0200
Source: wavpack
Architecture: source
Version: 5.1.0-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <[hidden email]>
Changed-By: Sebastian Ramacher <[hidden email]>
Closes: 932060 932061
Changes:
 wavpack (5.1.0-7) unstable; urgency=medium
 .
   * debian/patches: Cherry-pick upstream patches to fix use of uninitialized
     values. (CVE-2019-1010317, CVE-2019-1010319) (Closes: #932060, #932061)
   * debian/: Bump debhelper compat to 12.
   * debian/control: Bump Standards-Version.
Checksums-Sha1:
 e9bec98e6a87025925d98f33ce1d252c6d6e635c 2062 wavpack_5.1.0-7.dsc
 e78d7732f78cfaea8aeedab14931c70977b7c503 11300 wavpack_5.1.0-7.debian.tar.xz
Checksums-Sha256:
 ce455bf7945103854574b33358899c28cad86f4769dbea3e0a4c841e0e97992a 2062 wavpack_5.1.0-7.dsc
 bf9b0a55f459ac94181fa5f49a86512c1f40ac272bb84d5feb2bd66efbba1ce8 11300 wavpack_5.1.0-7.debian.tar.xz
Files:
 42306b294381403f908d83ac722e0b08 2062 sound optional wavpack_5.1.0-7.dsc
 dc22df28c59e9cf1bd0929d1a88c19cc 11300 sound optional wavpack_5.1.0-7.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAl0rfr4ACgkQafL8UW6n
GZM2jRAApQoW4H45jtrQSwh+Sy+MKBB+I+hQCzQ9ManNrTOrdLBxQ+cR7C/+pP+f
TJt+WhMf7yAdM3X5H6YtN1oQbVxB1cWWZliBONfCjB75TP1IQv5K0WVy5cgzHvwe
eTYhcQEcYY4XICG+UUSl47ADrZZ0bBVDAajeHPz9x2/aHzRptOLybhnrujA8reae
2pIAnyRqxvslrT+dVagRKMgCRljijnx2wWlKxtwb7hNfgFbEhcGgC6tToTxEfwze
y2HoZHvK2XKbCH356VS79egxUQ9Hn67gQGmYECULw+GdOGuxFAVu6ynqPHx6jpjk
CZt3pTphvfGlnKZVFIYbniYlRPivMtWZCX+OIjj88FueycUApOX+k45sXva+ut9Z
8SVf8+OWxZ85t5oSx3vjaJeuTtFsHnsEvsRJdsHgNTahMm8m0tKBQOa48oOBlepU
zJS53tnF3XyuhmsqSVQRHI5GghEOMfNWbSD8LU2DHAgmavSn9I2oVzge/cPG0kfj
vtu3VIomvj/+mUdE7qfrLJANnKdK+SaxWwNPImFkWlnKhjXmB7YsHnPIvBBDBSY0
t7NSkT1a5dOgpQFQ2+tHmMAt+HkW6OQ3R8LggDTo59yITZ2kAJlvYih0SFgCIkAr
m0fj4nnqxu7HNVSp5Q0YCXcpd5+YXvBgI9uGxLSMMTTgeaYS1yQ=
=qIJO
-----END PGP SIGNATURE-----