CVE-2019-1010317
published 2019-07-11CVE-2019-1010317: WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component…
PriorityP420medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
1.46%
70.2th percentile
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | wavpack | < wavpack 5.1.0-7 (bookworm) | wavpack 5.1.0-7 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| wavpack | wavpack | <= 5.1.0 | — |
| wavpack | wavpack | — | — |
| wavpack | wavpack | >= 0 < 5.1.0-7 | 5.1.0-7 |
| wavpack | wavpack | >= 0 < 5.1.0-7 | 5.1.0-7 |
| wavpack | wavpack | >= 0 < 5.1.0-7 | 5.1.0-7 |
| wavpack | wavpack | >= 0 < 5.1.0-7 | 5.1.0-7 |
| wavpack | wavpack | >= 0 < 5.1.0-2ubuntu1.4 | 5.1.0-2ubuntu1.4 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv5.5MEDIUM
vendor_debian5.5LOW
vendor_redhat5.5MEDIUM
vendor_ubuntu5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
wavpack: Use of uninitialized variable in ParseCaffHeaderConfig leads to DoS
vendor_redhat·2019-08-06·CVSS 5.5
CVE-2019-1010317 [MEDIUM] CWE-20 wavpack: Use of uninitialized variable in ParseCaffHeaderConfig leads to DoS
wavpack: Use of uninitialized variable in ParseCaffHeaderConfig leads to DoS
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b.
Statement: This issue affects wavpack versions as shipped with Red Hat Enterprise Linux 8. The security impact for this flaw was calculated as 'Low' by the Red Hat Product Security Team. Previous Red Hat Enterprise Linux versions are not affected as wavpack shipped with it doesn't support CAF file format, which is needed to reach the code where the f
Ubuntu
WavPack vulnerabilities
vendor_ubuntu·2019-07-16·CVSS 5.5
CVE-2019-1010315 [MEDIUM] WavPack vulnerabilities
Title: WavPack vulnerabilities
Summary: WavPack could be made to crash if it received a specially crafted WAV file.
Rohan Padhye discovered that WavPack incorrectly handled certain WAV files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2019-1010315, CVE-2019-1010317, CVE-2019-1010318, CVE-2019-1010319)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2019-1010317: wavpack - WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable...
vendor_debian·2019·CVSS 5.5
CVE-2019-1010317 [MEDIUM] CVE-2019-1010317: wavpack - WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable...
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b.
Scope: local
bookworm: resolved (fixed in 5.1.0-7)
bullseye: resolved (fixed in 5.1.0-7)
forky: resolved (fixed in 5.1.0-7)
sid: resolved (fixed in 5.1.0-7)
trixie: resolved (fixed in 5.1.0-7)
GHSA
GHSA-7wf6-38w5-gjg5: WavPack 5
ghsa_unreviewed·2022-05-24
CVE-2019-1010317 [MEDIUM] CWE-908 GHSA-7wf6-38w5-gjg5: WavPack 5
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b.
OSV
wavpack vulnerabilities
osv·2019-07-16·CVSS 5.5
CVE-2019-1010315 [MEDIUM] wavpack vulnerabilities
wavpack vulnerabilities
Rohan Padhye discovered that WavPack incorrectly handled certain WAV files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2019-1010315, CVE-2019-1010317, CVE-2019-1010318, CVE-2019-1010319)
OSV
CVE-2019-1010317: WavPack 5
osv·2019-07-11·CVSS 5.5
CVE-2019-1010317 [MEDIUM] CVE-2019-1010317: WavPack 5
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-1010317 mingw-wavpack: wavpack: use of uninitialized variable in ParseCaffHeaderConfig leads to DoS [epel-7]
bugzilla·2019-08-06·CVSS 5.5
CVE-2019-1010317 [MEDIUM] CVE-2019-1010317 mingw-wavpack: wavpack: use of uninitialized variable in ParseCaffHeaderConfig leads to DoS [epel-7]
CVE-2019-1010317 mingw-wavpack: wavpack: use of uninitialized variable in ParseCaffHeaderConfig leads to DoS [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use
Bugzilla
CVE-2019-1010317 wavpack: use of uninitialized variable in ParseCaffHeaderConfig leads to DoS [fedora-all]
bugzilla·2019-08-06·CVSS 5.5
CVE-2019-1010317 [MEDIUM] CVE-2019-1010317 wavpack: use of uninitialized variable in ParseCaffHeaderConfig leads to DoS [fedora-all]
CVE-2019-1010317 wavpack: use of uninitialized variable in ParseCaffHeaderConfig leads to DoS [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affect
Bugzilla
CVE-2019-1010317 wavpack: Use of uninitialized variable in ParseCaffHeaderConfig leads to DoS
bugzilla·2019-08-06·CVSS 5.5
CVE-2019-1010317 [MEDIUM] CVE-2019-1010317 wavpack: Use of uninitialized variable in ParseCaffHeaderConfig leads to DoS
CVE-2019-1010317 wavpack: Use of uninitialized variable in ParseCaffHeaderConfig leads to DoS
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file.
Upstream Issue:
https://github.com/dbry/WavPack/issues/66
Upstream Patch:
https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b
Discussion:
Created mingw-wavpack tracking bugs for this issue:
Affects: epel-7 [bug 1737748]
Affects: fedora-all [bug 1737750]
Created wavpack tracking bugs for this issue:
Affects: fedora-all [bug 1737749]
---
When wavpack parses a a CAF file it doesn't properly validates whether a '
Bugzilla
CVE-2019-1010317 mingw-wavpack: wavpack: use of uninitialized variable in ParseCaffHeaderConfig leads to DoS [fedora-all]
bugzilla·2019-08-06·CVSS 5.5
CVE-2019-1010317 [MEDIUM] CVE-2019-1010317 mingw-wavpack: wavpack: use of uninitialized variable in ParseCaffHeaderConfig leads to DoS [fedora-all]
CVE-2019-1010317 mingw-wavpack: wavpack: use of uninitialized variable in ParseCaffHeaderConfig leads to DoS [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: th
https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101bhttps://github.com/dbry/WavPack/issues/66https://lists.debian.org/debian-lts-announce/2021/01/msg00013.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFFFWIWALGQPKINRDW3PRGRD5LOLGZA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRWQNE3TH5UF64IKHKKHVCHJHUOVKJUH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IX3J2JML5A7KC2BLGBEFTIIZR3EM7LVJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYESOAZ6Z6IG4BQBURL6OUY6P4YB6SKS/https://usn.ubuntu.com/4062-1/https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101bhttps://github.com/dbry/WavPack/issues/66https://lists.debian.org/debian-lts-announce/2021/01/msg00013.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFFFWIWALGQPKINRDW3PRGRD5LOLGZA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRWQNE3TH5UF64IKHKKHVCHJHUOVKJUH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IX3J2JML5A7KC2BLGBEFTIIZR3EM7LVJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYESOAZ6Z6IG4BQBURL6OUY6P4YB6SKS/https://usn.ubuntu.com/4062-1/
2019-07-11
Published