CVE-2019-11498 - WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through 5.1.0 has a "Conditiona

CVE-2019-11498

Summary

WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through 5.1.0 has a "Conditional jump or move depends on uninitialised value" condition, which might allow attackers to cause a denial of service (application crash) via a DFF file that lacks valid sample-rate data.

References

Vulnerable Configurations

cpe:2.3:a:wavpack:wavpack:4.40.0:-:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.40.0:-:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.40.0:beta:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.40.0:beta:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.41.0:*:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.41.0:*:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.42.0:alpha:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.42.0:alpha:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.42.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.42.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.50.0:-:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.50.0:-:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.50.0:beta:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.50.0:beta:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.50.1:*:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.50.1:*:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.60.0:-:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.60.0:-:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.60.0:alpha:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.60.0:alpha:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.60.0:beta:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.60.0:beta:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.60.1:*:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.60.1:*:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.70.0:-:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.70.0:-:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.70.0:alpha:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.70.0:alpha:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.70.0:beta:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.70.0:beta:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.70.0:rc:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.70.0:rc:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.75.0:-:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.75.0:-:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.75.0:rc:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.75.0:rc:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.75.2:*:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.75.2:*:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.80.0:-:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.80.0:-:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.80.0:rc:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:4.80.0:rc:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:5.0.0:alpha:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:5.0.0:alpha:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:5.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:5.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:5.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:5.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:5.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:5.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:5.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:5.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:5.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wavpack:wavpack:5.1.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 07-10-2022 - 13:44)
Impact:
Exploitability:

CWE

CWE-824

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:N/A:P

redhat via4

advisories

bugzilla

id	1737747
title	CVE-2019-1010317 wavpack: Use of uninitialized variable in ParseCaffHeaderConfig leads to DoS

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 8 is installed
oval oval:com.redhat.rhba:tst:20193384074

AND
comment wavpack is earlier than 0:5.1.0-15.el8
oval oval:com.redhat.rhsa:tst:20201581001
comment wavpack is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20201581002

AND

comment wavpack-debugsource is earlier than 0:5.1.0-15.el8
oval oval:com.redhat.rhsa:tst:20201581003
comment wavpack-debugsource is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20201581004

AND
comment wavpack-devel is earlier than 0:5.1.0-15.el8
oval oval:com.redhat.rhsa:tst:20201581005
comment wavpack-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20201581006

rhsa

id	RHSA-2020:1581
released	2020-04-28
severity	Low
title	RHSA-2020:1581: wavpack security update (Low)

rpms

wavpack-0:5.1.0-15.el8
wavpack-debuginfo-0:5.1.0-15.el8
wavpack-debugsource-0:5.1.0-15.el8
wavpack-devel-0:5.1.0-15.el8

refmap via4

fedora	FEDORA-2019-52145aa7ca FEDORA-2019-b8a704ff4b FEDORA-2020-73274c9df4 FEDORA-2020-e55567b6be
gentoo	GLSA-202007-19
misc	https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4 https://github.com/dbry/WavPack/issues/67
mlist	[debian-lts-announce] 20210115 [SECURITY] [DLA 2525-1] wavpack security update
ubuntu	USN-3960-1

Last major update

07-10-2022 - 13:44

Published

24-04-2019 - 05:29

Last modified

07-10-2022 - 13:44