Bug 1201716 - (CVE-2022-2476) VUL-0: CVE-2022-2476: wavpack: Null pointer dereference in wvunpack
(CVE-2022-2476)
VUL-0: CVE-2022-2476: wavpack: Null pointer dereference in wvunpack
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/337784/
CVSSv3.1:SUSE:CVE-2022-2476:3.3:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-20 13:52 UTC by Hu
Modified: 2022-08-05 13:19 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-07-20 13:52:53 UTC
CVE-2022-2476

A null pointer dereference bug was found in wavpack-5.4.0 The results from the
ASAN log: AddressSanitizer:DEADLYSIGNAL
===================================================================84257==ERROR:
AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x561b47a970c6 bp
0x7fff13952fb0 sp 0x7fff1394fca0 T0) ==84257==The signal is caused by a WRITE
memory access. ==84257==Hint: address points to the zero page. #0 0x561b47a970c5
in main cli/wvunpack.c:834 #1 0x7efc4f5c0082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082) #2 0x561b47a945ed in _start
(/usr/local/bin/wvunpack+0xa5ed) AddressSanitizer can not provide additional
info. SUMMARY: AddressSanitizer: SEGV cli/wvunpack.c:834 in main
==84257==ABORTING

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2476
https://github.com/dbry/WavPack/issues/121
Comment 1 Hu 2022-07-20 13:53:19 UTC
Affected:
- SUSE:SLE-11:Update/wavpack  4.50.1
- SUSE:SLE-12:Update/wavpack  4.60.99
- SUSE:SLE-15:Update/wavpack  5.4.0

Not affected (already contains fix):
- openSUSE:Factory/wavpack    5.5.0
Comment 2 Petr Gajdos 2022-07-21 08:12:12 UTC
BEFORE

15/wavpack

$ wvunpack -m poc.wv -o /

 WVUNPACK  Hybrid Lossless Audio Decompressor  Linux Version 5.4.0
 Copyright (c) 1998 - 2020 David Bryant.  All Rights Reserved.

can't create file /poc./!                                
Segmentation fault (core dumped)
$

12,11/wavpack

$ wvunpack -m poc.wv -o /

 WVUNPACK  Hybrid Lossless Audio Decompressor  Linux Version 4.70.0-beta
 Copyright (c) 1998 - 2013 Conifer Software.  All Rights Reserved.

not compatible with this version of WavPack file!        
$


PATCH

https://github.com/dbry/WavPack/commit/25b4a2725d8568212e7cf89ca05ca29d128af7ac
12,11/wavpack: no ID_ALT_EXTENSION, applying just part of the commit


AFTER

15/wavpack

$ wvunpack -m poc.wv -o /

 WVUNPACK  Hybrid Lossless Audio Decompressor  Linux Version 5.4.0
 Copyright (c) 1998 - 2020 David Bryant.  All Rights Reserved.

unpacked md5:  d41d8cd98f00b204e9800998ecf8427e                                
file is missing 1095233371905 samples!                                
missing data or crc errors detected in 4 block(s)!                                
$

12,11/wavpack

$ wvunpack -m poc.wv -o /

 WVUNPACK  Hybrid Lossless Audio Decompressor  Linux Version 4.70.0-beta
 Copyright (c) 1998 - 2013 Conifer Software.  All Rights Reserved.

not compatible with this version of WavPack file!
$
[no change]
Comment 3 Petr Gajdos 2022-07-21 08:12:57 UTC
Package submitted for: 15,12,11/wavpack

I believe all fixed.
Comment 5 Swamp Workflow Management 2022-08-05 13:18:26 UTC
SUSE-SU-2022:2682-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1201716
CVE References: CVE-2022-2476
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    wavpack-4.60.99-5.12.1
SUSE Linux Enterprise Server 12-SP5 (src):    wavpack-4.60.99-5.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2022-08-05 13:19:55 UTC
SUSE-SU-2022:2681-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1201716
CVE References: CVE-2022-2476
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    wavpack-5.4.0-150000.4.15.1
openSUSE Leap 15.3 (src):    wavpack-5.4.0-150000.4.15.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src):    wavpack-5.4.0-150000.4.15.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    wavpack-5.4.0-150000.4.15.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    wavpack-5.4.0-150000.4.15.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    wavpack-5.4.0-150000.4.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.