CVE-2018-19840
published 2018-12-04CVE-2018-19840: The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused…
PriorityP419medium5.5CVSS 3.0
AVLACLPRNUIRSUCNINAH
EPSS
2.30%
81.2th percentile
The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | wavpack | < wavpack 5.1.0-5 (bookworm) | wavpack 5.1.0-5 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| opensuse | leap | — | — |
| wavpack | wavpack | <= 5.1.0 | — |
| wavpack | wavpack | >= 0 < 5.1.0-5 | 5.1.0-5 |
| wavpack | wavpack | >= 0 < 5.1.0-5 | 5.1.0-5 |
| wavpack | wavpack | >= 0 < 5.1.0-5 | 5.1.0-5 |
| wavpack | wavpack | >= 0 < 5.1.0-5 | 5.1.0-5 |
| wavpack | wavpack | >= 0 < 4.70.0-1ubuntu0.2 | 4.70.0-1ubuntu0.2 |
| wavpack | wavpack | >= 0 < 4.75.2-2ubuntu0.2 | 4.75.2-2ubuntu0.2 |
| wavpack | wavpack | >= 0 < 5.1.0-2ubuntu1.2 | 5.1.0-2ubuntu1.2 |
CVSS provenance
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv5.5MEDIUM
vendor_debian5.5MEDIUM
vendor_redhat5.5MEDIUM
vendor_ubuntu5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5xqp-7g33-7hx3: The function WavpackPackInit in pack_utils
ghsa_unreviewed·2022-05-13
CVE-2018-19840 [MEDIUM] CWE-835 GHSA-5xqp-7g33-7hx3: The function WavpackPackInit in pack_utils
The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero.
OSV
wavpack vulnerabilities
osv·2018-12-06·CVSS 5.5
CVE-2018-19840 [MEDIUM] wavpack vulnerabilities
wavpack vulnerabilities
It was discovered that WavPack incorrectly handled certain WAV files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2018-19840, CVE-2018-19841)
OSV
CVE-2018-19840: The function WavpackPackInit in pack_utils
osv·2018-12-04·CVSS 5.5
CVE-2018-19840 [MEDIUM] CVE-2018-19840: The function WavpackPackInit in pack_utils
The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero.
Ubuntu
WavPack vulnerabilities
vendor_ubuntu·2018-12-06·CVSS 5.5
CVE-2018-19840 [MEDIUM] WavPack vulnerabilities
Title: WavPack vulnerabilities
Summary: Several security issues were fixed in WavPack.
It was discovered that WavPack incorrectly handled certain WAV files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2018-19840, CVE-2018-19841)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
wawpack: Infinite loop in WavpackPackInit function lead to DoS
vendor_redhat·2018-11-26·CVSS 5.5
CVE-2018-19840 [MEDIUM] CWE-835 wawpack: Infinite loop in WavpackPackInit function lead to DoS
wawpack: Infinite loop in WavpackPackInit function lead to DoS
The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero.
Statement: This issue affects the versions of wavpack as shipped with Red Hat Enterprise Linux 6 and 7.
Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/update
Debian
CVE-2018-19840: wavpack - The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through ...
vendor_debian·2018·CVSS 5.5
CVE-2018-19840 [MEDIUM] CVE-2018-19840: wavpack - The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through ...
The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero.
Scope: local
bookworm: resolved (fixed in 5.1.0-5)
bullseye: resolved (fixed in 5.1.0-5)
forky: resolved (fixed in 5.1.0-5)
sid: resolved (fixed in 5.1.0-5)
trixie: resolved (fixed in 5.1.0-5)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-19840 wawpack: Infinite loop in WavpackPackInit function lead to DoS
bugzilla·2018-12-21·CVSS 5.5
CVE-2018-19840 [MEDIUM] CVE-2018-19840 wawpack: Infinite loop in WavpackPackInit function lead to DoS
CVE-2018-19840 wawpack: Infinite loop in WavpackPackInit function lead to DoS
The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero.
Upstream issue:
https://github.com/dbry/WavPack/issues/53
Upstream patch:
https://github.com/dbry/WavPack/commit/070ef6f138956d9ea9612e69586152339dbefe51
Discussion:
Created mingw-wavpack tracking bugs for this issue:
Affects: epel-7 [bug 1661452]
Affects: fedora-all [bug 1661451]
Created wavpack tracking bugs for this issue:
Affects: fedora-all [bug 1661450]
---
Statement:
This issue affects the versions of wavpack as shipped
Bugzilla
CVE-2018-19840 CVE-2018-19841 wavpack: various flaws [fedora-all]
bugzilla·2018-12-21·CVSS 5.5
CVE-2018-19840 [MEDIUM] CVE-2018-19840 CVE-2018-19841 wavpack: various flaws [fedora-all]
CVE-2018-19840 CVE-2018-19841 wavpack: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora.
Bugzilla
CVE-2018-19840 CVE-2018-19841 mingw-wavpack: various flaws [epel-7]
bugzilla·2018-12-21·CVSS 5.5
CVE-2018-19840 [MEDIUM] CVE-2018-19840 CVE-2018-19841 mingw-wavpack: various flaws [epel-7]
CVE-2018-19840 CVE-2018-19841 mingw-wavpack: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg update'
Bugzilla
CVE-2018-19840 CVE-2018-19841 mingw-wavpack: various flaws [fedora-all]
bugzilla·2018-12-21·CVSS 5.5
CVE-2018-19840 [MEDIUM] CVE-2018-19840 CVE-2018-19841 mingw-wavpack: various flaws [fedora-all]
CVE-2018-19840 CVE-2018-19841 mingw-wavpack: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fe
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00029.htmlhttp://packetstormsecurity.com/files/155743/Slackware-Security-Advisory-wavpack-Updates.htmlhttps://github.com/dbry/WavPack/commit/070ef6f138956d9ea9612e69586152339dbefe51https://github.com/dbry/WavPack/issues/53https://lists.debian.org/debian-lts-announce/2021/01/msg00013.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BLSOEVEKF4VNNVNZ2AN46BJUT4TGVWT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFFFWIWALGQPKINRDW3PRGRD5LOLGZA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRWQNE3TH5UF64IKHKKHVCHJHUOVKJUH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZGXJUHCGQI6XKLCBUZHXPYIIWMFWA22/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVVKOBJR5APOB3KWUWJ4UWQHUBZQL6C6/https://seclists.org/bugtraq/2019/Dec/37https://security.gentoo.org/glsa/202007-19https://usn.ubuntu.com/3839-1/http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00029.htmlhttp://packetstormsecurity.com/files/155743/Slackware-Security-Advisory-wavpack-Updates.htmlhttps://github.com/dbry/WavPack/commit/070ef6f138956d9ea9612e69586152339dbefe51https://github.com/dbry/WavPack/issues/53https://lists.debian.org/debian-lts-announce/2021/01/msg00013.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BLSOEVEKF4VNNVNZ2AN46BJUT4TGVWT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFFFWIWALGQPKINRDW3PRGRD5LOLGZA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRWQNE3TH5UF64IKHKKHVCHJHUOVKJUH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZGXJUHCGQI6XKLCBUZHXPYIIWMFWA22/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVVKOBJR5APOB3KWUWJ4UWQHUBZQL6C6/https://seclists.org/bugtraq/2019/Dec/37https://security.gentoo.org/glsa/202007-19https://usn.ubuntu.com/3839-1/
2018-12-04
Published