Bug#915565: marked as done (wavpack: CVE-2018-19841: heap-buffer-overflow)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 05 Dec 2018 09:04:55 +0000
with message-id <E1gUT71-000FdP-JY@fasolo.debian.org>
and subject line Bug#915565: fixed in wavpack 5.1.0-5
has caused the Debian Bug report #915565,
regarding wavpack: CVE-2018-19841: heap-buffer-overflow
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
915565: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915565
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: wavpack: CVE-2018-19841: heap-buffer-overflow
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Tue, 04 Dec 2018 22:14:58 +0100
• Message-id: <[🔎] 154395809889.31326.18008131161161888096.reportbug@eldamar.local>

Source: wavpack
Version: 5.1.0-4
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/dbry/WavPack/issues/54
Control: found -1 5.0.0-1
Control: found -1 5.0.0-2+deb9u2

Hi,

The following vulnerability was published for wavpack.

CVE-2018-19841[0]:
| The function WavpackVerifySingleBlock in open_utils.c in libwavpack.a
| in WavPack through 5.1.0 allows attackers to cause a denial-of-service
| (out-of-bounds read and application crash) via a crafted WavPack
| Lossless Audio file, as demonstrated by wvunpack.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19841
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19841
[1] https://github.com/dbry/WavPack/commit/bba5389dc598a92bdf2b297c3ea34620b6679b5b
[2] https://github.com/dbry/WavPack/issues/54

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 915565-close@bugs.debian.org
• Subject: Bug#915565: fixed in wavpack 5.1.0-5
• From: Sebastian Ramacher <sramacher@debian.org>
• Date: Wed, 05 Dec 2018 09:04:55 +0000
• Message-id: <E1gUT71-000FdP-JY@fasolo.debian.org>

Source: wavpack
Source-Version: 5.1.0-5

We believe that the bug you reported is fixed in the latest version of
wavpack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 915565@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated wavpack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 05 Dec 2018 09:43:52 +0100
Source: wavpack
Binary: libwavpack1 libwavpack-dev wavpack
Architecture: source
Version: 5.1.0-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Description:
 libwavpack-dev - audio codec (lossy and lossless) - development files
 libwavpack1 - audio codec (lossy and lossless) - library
 wavpack    - audio codec (lossy and lossless) - encoder and decoder
Closes: 915564 915565
Changes:
 wavpack (5.1.0-5) unstable; urgency=medium
 .
   * debian/control: Bump Standards-Version.
   * debian/patches: Cherry-pick upstream patches for multiple CVEs
     (CVE-2018-19840, CVE-2018-19841). (Closes: #915564, #915565)
Checksums-Sha1:
 868f68023e2c01238016cf5f850305fe744fbcb5 2082 wavpack_5.1.0-5.dsc
 c35c74793b76969920ff22ae7cb5ee61b629a585 9800 wavpack_5.1.0-5.debian.tar.xz
Checksums-Sha256:
 676785a6bc4f549f9a2dc88463e70d741a5555bf79b58e99be97e0c58c2b6518 2082 wavpack_5.1.0-5.dsc
 95fb6fdb619f76757afff7a3c56ce64d3c7bf65e2b70ed0c824a6cc2c101be0a 9800 wavpack_5.1.0-5.debian.tar.xz
Files:
 b2da035a91307ecebb755d9c276f72a3 2082 sound optional wavpack_5.1.0-5.dsc
 9e35078fa432463972da5032070e9f11 9800 sound optional wavpack_5.1.0-5.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCgAzFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAlwHkR0VHHNyYW1hY2hl
ckBkZWJpYW4ub3JnAAoJEGny/FFupxmTuccP/2GDFsBG1BVeMrHiYZW4/Q07Vq7c
byYZcY7b0J7zvjuZg0Cs1pq/r3W0NnZAPdPvyHRbM1apX8uUPATayZOfPc1hDoJL
RC0w4afBznopCGoWGICZuBvSubLic1PJ8Wgzgyc2Yib1VLqUiU+HGM0FAVD5t7y4
t0L6AFDo/ROtlOML/7IR7Z7opcS2k8mQ/7hnaW8jRBx8denQitTx/dRGAyImqPuw
ecZ5iTnR5UFSkhUnF0IJvE/HAwQa5Du7fHQlCr2+gROUuSIG/nHehudr3w4Dv6fZ
1P4MtU/2KLqrrXAwJwQJKCesErZRPA8nvK/tUUz6WEpV6HFBc8lCSjCyBJIP1tgJ
3BXBA3rbnOtM2+AXxWBB9fY2+Tnc0wuVwYOZdPWvBwjG74Q9NDlkGv8kVPIYSYEk
aSGHrMLsb0f4/A+dASVYne8N7OwjICFyyE1msay2Osmt+yb+62RkcXB39GvlFeCh
oCR6cwoJMStMcCVNDV/RG5DwKXAX1LTdI37Pu3BXxxvSs1aa1s5IYM7ZrFS94ucb
cE/+TuNAFvomn8t8taFjgwBNmJZRRYcxaHNDv48vpOVMHAm1ckx6cYhgg1FA558L
Ka9xac/1hCKK3dM9uC+gdmcm84dnF8RY5c9P8vmT4HIfMATApn+mM+vQxbHwlyI1
3D+N0iafRMH1/1iu
=vnmO
-----END PGP SIGNATURE-----

--- End Message ---