Bug 1180414 - (CVE-2020-35738) VUL-0: CVE-2020-35738: wavpack: out-of-bounds write in WavpackPackSamples in pack_utils.c
(CVE-2020-35738)
VUL-0: CVE-2020-35738: wavpack: out-of-bounds write in WavpackPackSamples in ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/274099/
CVSSv3.1:SUSE:CVE-2020-35738:8.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-12-28 18:05 UTC by Wolfgang Frisch
Modified: 2022-03-25 08:50 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
crash.wav (570.79 KB, application/octet-stream)
2020-12-28 18:12 UTC, Wolfgang Frisch
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-12-28 18:05:53 UTC
CVE-2020-35738

WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples in pack_utils.c
because of an integer overflow in a malloc argument. NOTE: some third-parties
claim that there are later "unofficial" releases through 5.3.2, which are also
affected.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35738
https://github.com/dbry/WavPack/issues/91
Comment 1 Wolfgang Frisch 2020-12-28 18:12:49 UTC
Created attachment 844729 [details]
crash.wav

QA REPRODUCER:

wavpack -y crash.wav

BAD:

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.3.0
 Copyright (c) 1998 - 2008 Conifer Software.  All Rights Reserved.

creating crash.wv,Segmentation fault (core dumped)
Comment 2 Wolfgang Frisch 2020-12-28 18:13:29 UTC
SUSE:SLE-11:Update  Affected
SUSE:SLE-12:Update  Affected
SUSE:SLE-15:Update  Affected
openSUSE:Leap:15.1  Affected
openSUSE:Leap:15.2  Affected
openSUSE:Factory    Affected
Comment 4 Swamp Workflow Management 2021-01-21 17:16:17 UTC
SUSE-SU-2021:0186-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1091340,1091341,1091342,1091343,1091344,1180414
CVE References: CVE-2018-10536,CVE-2018-10537,CVE-2018-10538,CVE-2018-10539,CVE-2018-10540,CVE-2018-19840,CVE-2018-19841,CVE-2018-6767,CVE-2018-7253,CVE-2018-7254,CVE-2019-1010319,CVE-2019-11498,CVE-2020-35738
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    wavpack-5.4.0-4.9.1
SUSE Manager Retail Branch Server 4.0 (src):    wavpack-5.4.0-4.9.1
SUSE Manager Proxy 4.0 (src):    wavpack-5.4.0-4.9.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    wavpack-5.4.0-4.9.1
SUSE Linux Enterprise Server for SAP 15 (src):    wavpack-5.4.0-4.9.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    wavpack-5.4.0-4.9.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    wavpack-5.4.0-4.9.1
SUSE Linux Enterprise Server 15-LTSS (src):    wavpack-5.4.0-4.9.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    wavpack-5.4.0-4.9.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    wavpack-5.4.0-4.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    wavpack-5.4.0-4.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    wavpack-5.4.0-4.9.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    wavpack-5.4.0-4.9.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    wavpack-5.4.0-4.9.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    wavpack-5.4.0-4.9.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    wavpack-5.4.0-4.9.1
SUSE Enterprise Storage 6 (src):    wavpack-5.4.0-4.9.1
SUSE CaaS Platform 4.0 (src):    wavpack-5.4.0-4.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-01-24 23:19:05 UTC
openSUSE-SU-2021:0153-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1091340,1091341,1091342,1091343,1091344,1180414
CVE References: CVE-2018-10536,CVE-2018-10537,CVE-2018-10538,CVE-2018-10539,CVE-2018-10540,CVE-2018-19840,CVE-2018-19841,CVE-2018-6767,CVE-2018-7253,CVE-2018-7254,CVE-2019-1010319,CVE-2019-11498,CVE-2020-35738
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    wavpack-5.4.0-lp152.7.3.1
Comment 6 Swamp Workflow Management 2021-01-24 23:20:28 UTC
openSUSE-SU-2021:0154-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1091340,1091341,1091342,1091343,1091344,1180414
CVE References: CVE-2018-10536,CVE-2018-10537,CVE-2018-10538,CVE-2018-10539,CVE-2018-10540,CVE-2018-19840,CVE-2018-19841,CVE-2018-6767,CVE-2018-7253,CVE-2018-7254,CVE-2019-1010319,CVE-2019-11498,CVE-2020-35738
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    wavpack-5.4.0-lp151.5.6.1
Comment 7 Petr Gajdos 2021-03-16 12:05:41 UTC
BEFORE

$ valgrind --leak-check=full -q wavpack -y crash.wav

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 4.70.0-beta
 Copyright (c) 1998 - 2013 Conifer Software.  All Rights Reserved.

created crash.wv in 1.57 secs (lossless, 59.17%)        
$


PATCH

https://github.com/dbry/WavPack/issues/91#issuecomment-752653707


AFTER

$ valgrind --leak-check=full -q wavpack -y crash.wav

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 4.70.0-beta
 Copyright (c) 1998 - 2013 Conifer Software.  All Rights Reserved.

sample rate cannot be zero!        
$
Comment 8 Petr Gajdos 2021-03-16 12:07:12 UTC
(In reply to Wolfgang Frisch from comment #2)
> SUSE:SLE-15:Update  Affected
> openSUSE:Leap:15.1  Affected
> openSUSE:Leap:15.2  Affected
> openSUSE:Factory    Affected

This was already fixed by Alexandros by version update.
Comment 9 Petr Gajdos 2021-03-16 12:09:59 UTC
(In reply to Wolfgang Frisch from comment #2)
> SUSE:SLE-11:Update  Affected
> SUSE:SLE-12:Update  Affected

I have submitted these packages: 12/wavpack and 11/wavpack. NOTE though:

We do not support wavpack binary package in 12 and 11! The fix ends there trough /usr/bin/wavpack. Letting on your decision whether to accept this fix or not.
Comment 10 Petr Gajdos 2021-03-16 12:10:21 UTC
I believe all fixed.
Comment 12 Swamp Workflow Management 2021-03-19 20:45:33 UTC
SUSE-SU-2021:14669-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1180414
CVE References: CVE-2020-35738
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    wavpack-4.50.1-1.33.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    wavpack-4.50.1-1.33.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    wavpack-4.50.1-1.33.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    wavpack-4.50.1-1.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2021-03-24 14:18:17 UTC
SUSE-SU-2021:0929-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1180414
CVE References: CVE-2020-35738
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    wavpack-4.60.99-5.9.1
SUSE OpenStack Cloud Crowbar 8 (src):    wavpack-4.60.99-5.9.1
SUSE OpenStack Cloud 9 (src):    wavpack-4.60.99-5.9.1
SUSE OpenStack Cloud 8 (src):    wavpack-4.60.99-5.9.1
SUSE OpenStack Cloud 7 (src):    wavpack-4.60.99-5.9.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    wavpack-4.60.99-5.9.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    wavpack-4.60.99-5.9.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    wavpack-4.60.99-5.9.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    wavpack-4.60.99-5.9.1
SUSE Linux Enterprise Server 12-SP5 (src):    wavpack-4.60.99-5.9.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    wavpack-4.60.99-5.9.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    wavpack-4.60.99-5.9.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    wavpack-4.60.99-5.9.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    wavpack-4.60.99-5.9.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    wavpack-4.60.99-5.9.1
HPE Helion Openstack 8 (src):    wavpack-4.60.99-5.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Marcus Meissner 2022-03-25 08:50:08 UTC
done