[3.4] wavpack: Multiple vulnerabilities (CVE-2018-10536, CVE-2018-10537, CVE-2018-10538, CVE-2018-10539, CVE-2018-10540)
CVE-2018-10536: An issue was discovered in WavPack 5.1.0 and
earlier. The WAV parser component contains a vulnerability
that allows writing to memory because ParseRiffHeaderConfig in riff.c
does not reject multiple format chunks.
References:
https://github.com/dbry/WavPack/issues/30
https://github.com/dbry/WavPack/issues/31
https://github.com/dbry/WavPack/issues/32
Patch:
https://github.com/dbry/WavPack/commit/26cb47f99d481ad9b93eeff80d26e6b63bbd7e15
CVE-2018-10537: An issue was discovered in WavPack 5.1.0 and
earlier. The W64 parser component contains a vulnerability
that allows writing to memory because ParseWave64HeaderConfig in
wave64.c does not reject multiple format chunks.
References:
https://github.com/dbry/WavPack/issues/30
https://github.com/dbry/WavPack/issues/31
https://github.com/dbry/WavPack/issues/32
Patch:
https://github.com/dbry/WavPack/commit/26cb47f99d481ad9b93eeff80d26e6b63bbd7e15
CVE-2018-10538: An issue was discovered in WavPack 5.1.0 and earlier
for WAV input. Out-of-bounds writes can occur because
ParseRiffHeaderConfig in riff.c does not validate the sizes of unknown
chunks before attempting memory allocation, related to a lack of
integer-overflow protection within a bytes_to_copy calculation and
subsequent malloc call, leading to insufficient memory allocation.
References:
https://github.com/dbry/WavPack/issues/33
Patch:
https://github.com/dbry/WavPack/commit/6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d
CVE-2018-10539: An issue was discovered in WavPack 5.1.0 and earlier
for DSDiff input. Out-of-bounds writes can occur because
ParseDsdiffHeaderConfig in dsdiff.c does not validate the sizes of
unknown chunks before attempting memory allocation, related to a
lack of integer-overflow protection within a bytes_to_copy calculation
and subsequent malloc call, leading to insufficient memory allocation.
References:
https://github.com/dbry/WavPack/issues/33
Patch:
https://github.com/dbry/WavPack/commit/6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d
CVE-2018-10540: An issue was discovered in WavPack 5.1.0 and earlier
for W64 input. Out-of-bounds writes can occur because
ParseWave64HeaderConfig in wave64.c does not validate the sizes of
unknown chunks before attempting memory allocation, related
to a lack of integer-overflow protection within a bytes_to_copy
calculation and subsequent malloc call, leading to insufficient memory
allocation.
References:
https://github.com/dbry/WavPack/issues/33
Patch:
https://github.com/dbry/WavPack/commit/6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d
(from redmine: issue id 8915, created on 2018-05-18, closed on 2018-06-12)
- Relations:
- copied_to #8911 (closed)
- parent #8911 (closed)
- Changesets:
- Revision 770d5dd5 on 2018-06-11T09:26:41Z:
main/wavpack: add secfixes
fixes for:
-CVE-2018-10536
-CVE-2018-10537
-CVE-2018-10538
-CVE-2018-10539
-CVE-2018-10540
Fixes #8915