PT-2019-5869 · Dbry+8 · Wavpack+8

Rohan Padhye

·

Publicado

2019-03-05

·

Atualizado

2024-06-15

·

CVE-2019-1010319

CVSS v3.1

4.3

Média

VetorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions WavPack versions 5.1.0 and earlier
Description The issue is related to the use of uninitialized variables in the ParseWave64HeaderConfig component of the WavPack audio codec. This can lead to unexpected control flow, crashes, and segfaults when a maliciously crafted .wav file is processed. The attack vector is a malicious .wav file.
Recommendations For WavPack versions 5.1.0 and earlier, update to a version after commit https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe to resolve the issue. As a temporary workaround, consider avoiding the use of the ParseWave64HeaderConfig function until a patch is available. Restrict access to malicious .wav files to minimize the risk of exploitation.

Exploit

Correção

Use of Uninitialized Resource

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-908CWE-457

Identificadores relacionados

ALSA-2020:1581
ALT-PU-2020-1107
ALT-PU-2020-2916
ALT-PU-2023-1392
BDU:2021-03440
CESA-2020_1581
CVE-2019-1010319
DLA-2525-1
MGASA-2019-0230
MGASA-2019-0231
OPENSUSE-SU-2019:2067-1
OPENSUSE-SU-2019_2067-1
OPENSUSE-SU-2021:0153-1
OPENSUSE-SU-2021:0154-1
OPENSUSE-SU-2021_0153-1
OPENSUSE-SU-2021_0154-1
OPENSUSE-SU-2024:11505-1
RHSA-2020:1581
RHSA-2020_1581
RLSA-2020:1581
SUSE-SU-2019:2191-1
SUSE-SU-2019_2191-1
SUSE-SU-2021:0186-1
USN-4062-1

Produtos afetados

Alt Linux
Almalinux
Astra Linux
Centos
Red Hat
Rocky Linux
Suse
Ubuntu
Wavpack