CVE-2018-19840 — Infinite Loop in Wavpack

CWE-835 — Infinite Loop11 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.3%

top 42.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wavpack Debian Wavpack Canonical Ubuntu Linux +2 more

Timeline

PublishedDec 4

Latest updateMay 13

Description

The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/wavpack< wavpack 5.1.0-5 (bookworm)

▶Debianwavpack/wavpack< 5.1.0-5+3

▶Ubuntuwavpack/wavpack< 4.70.0-1ubuntu0.2+2

▶NVDwavpack/wavpack5.1.0

▶NVDopensuse/leap15.0

Also affects: Fedora 28, 29, 30, Ubuntu Linux 14.04, 16.04, 18.04, 18.10

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-5xqp-7g33-7hx3: The function WavpackPackInit in pack_utils↗2022-05-13

▶

OSV

wavpack vulnerabilities↗2018-12-06

▶

OSV

CVE-2018-19840: The function WavpackPackInit in pack_utils↗2018-12-04

▶

📋Vendor Advisories

Ubuntu

WavPack vulnerabilities↗2018-12-06

▶

Red Hat

wawpack: Infinite loop in WavpackPackInit function lead to DoS↗2018-11-26

▶

Debian

CVE-2018-19840: wavpack - The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through ...↗2018

▶

💬Community

Bugzilla

CVE-2018-19840 wawpack: Infinite loop in WavpackPackInit function lead to DoS↗2018-12-21

▶

Bugzilla

CVE-2018-19840 CVE-2018-19841 wavpack: various flaws [fedora-all]↗2018-12-21

▶

Bugzilla

CVE-2018-19840 CVE-2018-19841 mingw-wavpack: various flaws [epel-7]↗2018-12-21

▶

Bugzilla

CVE-2018-19840 CVE-2018-19841 mingw-wavpack: various flaws [fedora-all]↗2018-12-21

▶