CVE-2019-11498Access of Uninitialized Pointer in Wavpack

CWE-824Access of Uninitialized PointerCWE-456Missing Initialization of a Variable10 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
1.9%
top 16.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
WavpackDebian WavpackCanonical Ubuntu Linux+2 more
Timeline
PublishedApr 24
Latest updateMay 24

Description

WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through 5.1.0 has a "Conditional jump or move depends on uninitialised value" condition, which might allow attackers to cause a denial of service (application crash) via a DFF file that lacks valid sample-rate data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

debiandebian/wavpack< wavpack 5.1.0-6 (bookworm)
Debianwavpack/wavpack< 5.1.0-6+3
NVDwavpack/wavpack5.1.0

Also affects: Debian Linux 9.0, Fedora 29, 30, 31, Ubuntu Linux 18.04, 18.10, 19.04

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-jmgr-533j-34jh: WavpackSetConfiguration64 in pack_utils2022-05-24
OSV
CVE-2019-11498: WavpackSetConfiguration64 in pack_utils2019-04-24

📋Vendor Advisories

3
Ubuntu
WavPack vulnerability2019-04-30
Red Hat
wavpack: Use of uninitialized variable in WavpackSetConfiguration64 leads to DoS2019-03-05
Debian
CVE-2019-11498: wavpack - WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through 5.1...2019

💬Community

4
Bugzilla
CVE-2019-11498 mingw-wavpack: wavpack: dos in pack_utils.c in libwavpack.a [fedora-all]2019-04-30
Bugzilla
CVE-2019-11498 mingw-wavpack: wavpack: dos in pack_utils.c in libwavpack.a [epel-7]2019-04-30
Bugzilla
CVE-2019-11498 wavpack: dos in pack_utils.c in libwavpack.a [fedora-all]2019-04-30
Bugzilla
CVE-2019-11498 wavpack: Use of uninitialized variable in WavpackSetConfiguration64 leads to DoS2019-04-30