Bug#1015790: wavpack: CVE-2022-2476

To: submit@bugs.debian.org
Subject: Bug#1015790: wavpack: CVE-2022-2476
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Thu, 21 Jul 2022 11:52:27 +0200
Message-id: <[🔎] Ytkh26iylQvKBW2+@pisco.westfalen.local>
Reply-to: Moritz Mühlenhoff <jmm@inutil.org>, 1015790@bugs.debian.org

Source: wavpack
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for wavpack.

CVE-2022-2476[0]:
| A null pointer dereference bug was found in wavpack-5.4.0 The results
| from the ASAN log: AddressSanitizer:DEADLYSIGNAL =====================
| ==============================================84257==ERROR:
| AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
| 0x561b47a970c6 bp 0x7fff13952fb0 sp 0x7fff1394fca0 T0) ==84257==The
| signal is caused by a WRITE memory access. ==84257==Hint: address
| points to the zero page. #0 0x561b47a970c5 in main cli/wvunpack.c:834
| #1 0x7efc4f5c0082 in __libc_start_main (/lib/x86_64-linux-
| gnu/libc.so.6+0x24082) #2 0x561b47a945ed in _start
| (/usr/local/bin/wvunpack+0xa5ed) AddressSanitizer can not provide
| additional info. SUMMARY: AddressSanitizer: SEGV cli/wvunpack.c:834 in
| main ==84257==ABORTING

https://github.com/dbry/WavPack/issues/121	
https://github.com/dbry/WavPack/commit/25b4a2725d8568212e7cf89ca05ca29d128af7ac

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-2476
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2476

Please adjust the affected versions in the BTS as needed.

Reply to:

Prev by Date: Bug#1015788: gpac: CVE-2022-2453 CVE-2022-2454
Next by Date: Processing of libyuv_0.0~git20220714.fe8c78b-1_source.changes
Previous by thread: Bug#1015788: gpac: CVE-2022-2453 CVE-2022-2454
Next by thread: Processing of libyuv_0.0~git20220714.fe8c78b-1_source.changes
Index(es):
- Date
- Thread