Bug 1021483 - VUL-1: CVE-2016-10169, CVE-2016-10170, CVE-2016-10171, CVE-2016-10172: wavpack: multiple out of bounds memory reads
VUL-1: CVE-2016-10169, CVE-2016-10170, CVE-2016-10171, CVE-2016-10172: wa...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/179019/
CVSSv2:NVD:CVE-2016-10170:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-23 18:49 UTC by Mikhail Kasimov
Modified: 2018-03-06 23:44 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-01-23 18:49:29 UTC
Ref: http://seclists.org/oss-sec/2017/q1/171

==================================================
Fuzzing wavpack led to the discoverey of several invalid memory reads.

global buffer overread in read_code / read_words.c
https://sourceforge.net/p/wavpack/mailman/message/35557889/

heap out of bounds read in WriteCaffHeader / caff.c
https://sourceforge.net/p/wavpack/mailman/message/35561921/

heap out of bounds read in unreorder_channels / wvunpack.c
https://sourceforge.net/p/wavpack/mailman/message/35561939/

heap oob read in read_new_config_info / open_utils.c
https://sourceforge.net/p/wavpack/mailman/message/35561939/


All of them have been fixed with a single commit:
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc

Wavpack 5.1.0 has been released and fixes all issues.
==================================================

https://software.opensuse.org/package/wavpack

TW, 42.1|2: 4.60.99 in official and multimedia:libs repos.
Comment 1 Swamp Workflow Management 2017-01-23 23:00:43 UTC
bugbot adjusting priority
Comment 3 Mikhail Kasimov 2017-01-28 23:33:13 UTC
(In reply to Mikhail Kasimov from comment #0)
> Ref: http://seclists.org/oss-sec/2017/q1/171
> 
> ==================================================
> Fuzzing wavpack led to the discoverey of several invalid memory reads.
> 
> global buffer overread in read_code / read_words.c
> https://sourceforge.net/p/wavpack/mailman/message/35557889/

CVE-2016-10169 (ref: http://seclists.org/oss-sec/2017/q1/221)

> heap out of bounds read in WriteCaffHeader / caff.c
> https://sourceforge.net/p/wavpack/mailman/message/35561921/

CVE-2016-10170 (ref: http://seclists.org/oss-sec/2017/q1/221)
 
> heap out of bounds read in unreorder_channels / wvunpack.c
> https://sourceforge.net/p/wavpack/mailman/message/35561939/

CVE-2016-10171 (ref: http://seclists.org/oss-sec/2017/q1/221)

> heap oob read in read_new_config_info / open_utils.c
> https://sourceforge.net/p/wavpack/mailman/message/35561939/
 
CVE-2016-10172 (ref: http://seclists.org/oss-sec/2017/q1/221)
 
> All of them have been fixed with a single commit:
> https://github.com/dbry/WavPack/commit/
> 4bc05fc490b66ef2d45b1de26abf1455b486b0dc
> 
> Wavpack 5.1.0 has been released and fixes all issues.
> ==================================================
> 
> https://software.opensuse.org/package/wavpack
> 
> TW, 42.1|2: 4.60.99 in official and multimedia:libs repos.
Comment 4 Karol Babioch 2018-02-28 12:43:16 UTC
None of the reproducers triggered for me on SLE11/SLE12. While the exact command line was not provided in the original bug report, I've tried quite a few options, none of which worked.

After looking into this in some detail, I conclude that we are _NOT_ affected. The affected code was only introduced upstream with commit e3c5be76b24ce030fba9dc0a769d5689f89b24fe. The code was refactored to some degree, but we do not handle this particular case in process_metadata() in the file src/metadata.c.

    case ID_NEW_CONFIG_BLOCK:
      return read_new_config_info (wpc, wpmd);

Nonetheless the fix in src/read_words.c from commit 4bc05fc490b66ef2d45b1de26abf1455b486b0dc makes sense, so I've applied it to our codestreams (SUSE:SLE-11:Update & SUSE:SLE-12:Update).
Comment 6 Swamp Workflow Management 2018-03-05 20:08:10 UTC
SUSE-SU-2018:0607-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1021483
CVE References: CVE-2016-10169,CVE-2016-10170,CVE-2016-10171,CVE-2016-10172
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    wavpack-4.50.1-1.27.1
SUSE Linux Enterprise Server 11-SP4 (src):    wavpack-4.50.1-1.27.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    wavpack-4.50.1-1.27.1
Comment 7 Swamp Workflow Management 2018-03-05 20:08:42 UTC
SUSE-SU-2018:0608-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1021483
CVE References: CVE-2016-10169,CVE-2016-10170,CVE-2016-10171,CVE-2016-10172
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    wavpack-4.60.99-5.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    wavpack-4.60.99-5.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    wavpack-4.60.99-5.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    wavpack-4.60.99-5.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    wavpack-4.60.99-5.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    wavpack-4.60.99-5.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    wavpack-4.60.99-5.3.1
Comment 8 Andreas Stieger 2018-03-06 19:26:32 UTC
done, closing
Comment 9 Swamp Workflow Management 2018-03-06 23:18:41 UTC
openSUSE-SU-2018:0623-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1021483
CVE References: CVE-2016-10169,CVE-2016-10170,CVE-2016-10171,CVE-2016-10172
Sources used:
openSUSE Leap 42.3 (src):    wavpack-4.60.99-9.3.1