PT-2019-5868 · Dbry+7 · Wavpack+7

Rohan Padhye

Published

2019-03-04

Updated

2024-06-15

CVE-2019-1010317

CVSS v2.0

7.1

High

Vector

AV:N/AC:M/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions WavPack versions 5.1.0 and earlier

Description The issue is related to the use of uninitialized variables in the ParseCaffHeaderConfig function of the WavPack audio codec. This can be exploited by a remote attacker using a malicious .wav file, potentially leading to unexpected control flow, crashes, and segfaults. The component affected is ParseCaffHeaderConfig in the caff.c file.

Recommendations For WavPack versions 5.1.0 and earlier, update to a version after commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b to resolve the issue. As a temporary workaround, consider avoiding the use of .wav files from untrusted sources to minimize the risk of exploitation.

Exploit

Fix

Use of Uninitialized Resource

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-908CWE-457

Related Identifiers

ALSA-2020:1581

ALT-PU-2020-1107

ALT-PU-2020-2916

ALT-PU-2023-1392

BDU:2021-03439

CESA-2020_1581

CVE-2019-1010317

DLA-2525-1

MGASA-2019-0230

MGASA-2019-0231

OPENSUSE-SU-2024:11505-1

RHSA-2020:1581

RHSA-2020_1581

RLSA-2020:1581

USN-4062-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Red Hat

Rocky Linux

Ubuntu

Wavpack

PT-2019-5868 · Dbry+7 · Wavpack+7

CVE-2019-1010317

Weakness Enumeration

Related Identifiers

Affected Products

References · 68