Bug#978548: wavpack: CVE-2020-35738

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#978548: wavpack: CVE-2020-35738
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 28 Dec 2020 15:06:30 +0100
Message-id: <[🔎] 160916439091.600381.10976612410470513938.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 978548@bugs.debian.org

Source: wavpack
Version: 5.3.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/dbry/WavPack/issues/91
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for wavpack.

CVE-2020-35738[0]:
| WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples in
| pack_utils.c because of an integer overflow in a malloc argument.
| NOTE: some third-parties claim that there are later "unofficial"
| releases through 5.3.2, which are also affected.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-35738
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35738
[1] https://github.com/dbry/WavPack/issues/91

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#978548: marked as done (wavpack: CVE-2020-35738)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Re: tuned: please update the package to a recent version
Next by Date: Processed: [bts-link] source package src:bambootracker
Previous by thread: pulseeffects_4.8.4-1_source.changes ACCEPTED into unstable
Next by thread: Bug#978548: marked as done (wavpack: CVE-2020-35738)
Index(es):
- Date
- Thread