Bug#927903: marked as done (wavpack: CVE-2019-11498: Uninitialized Read in WavpackSetConfiguration64())

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 28 Apr 2019 21:49:29 +0000
with message-id <E1hKrft-000H1P-L7@fasolo.debian.org>
and subject line Bug#927903: fixed in wavpack 5.1.0-6
has caused the Debian Bug report #927903,
regarding wavpack: CVE-2019-11498: Uninitialized Read in WavpackSetConfiguration64()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
927903: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927903
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: wavpack: CVE-2019-11498: Uninitialized Read in WavpackSetConfiguration64()
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 24 Apr 2019 22:24:50 +0200
• Message-id: <[🔎] 155613749026.27047.3188039194257253466.reportbug@eldamar.local>

Source: wavpack
Version: 5.1.0-5
Severity: important
Tags: security upstream
Forwarded: https://github.com/dbry/WavPack/issues/67

Hi,

The following vulnerability was published for wavpack.

CVE-2019-11498[0]:
| WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack
| through 5.1.0 has a "Conditional jump or move depends on uninitialised
| value" condition, which might allow attackers to cause a denial of
| service (application crash) via a DFF file that lacks valid sample-
| rate data.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11498
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11498
[1] https://github.com/dbry/WavPack/issues/67
[2] https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 927903-close@bugs.debian.org
• Subject: Bug#927903: fixed in wavpack 5.1.0-6
• From: Sebastian Ramacher <sramacher@debian.org>
• Date: Sun, 28 Apr 2019 21:49:29 +0000
• Message-id: <E1hKrft-000H1P-L7@fasolo.debian.org>

Source: wavpack
Source-Version: 5.1.0-6

We believe that the bug you reported is fixed in the latest version of
wavpack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 927903@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated wavpack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 28 Apr 2019 23:30:18 +0200
Source: wavpack
Architecture: source
Version: 5.1.0-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 927903
Changes:
 wavpack (5.1.0-6) unstable; urgency=medium
 .
   * debian/patches: Cherry-pick upstream patches to fix use of uninitialized
     values. (CVE-2019-11498) (Closes: #927903)
Checksums-Sha1:
 578a3fb097c4bbc8f5725edd3481c959753ff3de 2056 wavpack_5.1.0-6.dsc
 c95b71e7209594ab4a9a56997d85eed1544f22db 10860 wavpack_5.1.0-6.debian.tar.xz
Checksums-Sha256:
 aa5c3b5103146353f5202a27d769467230605671f2ce2f82b90a5d4929374b89 2056 wavpack_5.1.0-6.dsc
 2802722260e7e95dcfc25d8d6704f5dea80018797fd583537baec4b7729993b4 10860 wavpack_5.1.0-6.debian.tar.xz
Files:
 90a77c1d4b1ea59cbd14960516d98c27 2056 sound optional wavpack_5.1.0-6.dsc
 866a481f91cedc74a2287364c47a0c2d 10860 sound optional wavpack_5.1.0-6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAlzGG9cACgkQafL8UW6n
GZNJDxAAhxR9gh6Uw4ETAIKV72+ACbwp2hVmmWUCdbFRXgiE66alEDslyBidY2P/
XyABWV5cNLgqchpCMojPWlpD2li+wc/j/+SjN7bK4SQ2moaAqMg3PL4lVxLKw//Z
FbCMlTZX5yJueRfn54t9DOyTj50yYCGzjhcdWf4GmZ+BpC2QIqn3RSzmK7mzBnHj
w+Lc42igW8wMTFZX7AzrEkU9EUaNw1ZfDMcKzB3EXcXWhNwSJ9ct1oAs1JmnlKJP
2wvhBNTJHm3tqz4bfC+prCteTNIfLsCRevvsaB26FgRtXV+uqob0XnKOuqbruQqn
udxAiBRHhXyP0Cdnmi/8cldGlBY1yRtG+O04RXpPCpxIsj+xKUA+CNMOPiq13h7v
rV6EFp74zv0dlXiRIjb3A66MJUm7a67IlNlTivbHP/QvGOsZb5/TylXCZB7cx9r2
lO7z9g09tDxkavyKFMh7SNMZw4ocdcrCGb+lt8+MuVRB2owQM88zW8GY/ztdQXU2
jaNNBTQdGm/9rfIj1ypD/aLOlOl+Dx2WtAI+QWr3mbpDURck3Za3Nni465n1Jk6n
eZ9kb8gBBiibnLAike7kybrIjr/46SM2iva+6yhVJnO8d4N5ZLIrr/wDkocXd0Dw
28ApPrBEeEEZhLY3xvMLZn7hT1GvNv2FDBB3bWmPB+Lbsr8BXT8=
=Kc7L
-----END PGP SIGNATURE-----

--- End Message ---