FS#69234 : [wavpack] fix integer overflow CVE-2020-35738

FS#69234 - [wavpack] fix integer overflow CVE-2020-35738

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Wednesday, 06 January 2021, 16:37 GMT
Last edited by Felix Yan (felixonmars) - Monday, 11 January 2021, 22:32 GMT

Task Type	Bug Report
Category	Packages: Extra
Status	Closed
Assigned To	No-one
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
The WavPack package is currently vulnerable to an integer overflow that has been fixed upstream:

https://github.com/dbry/WavPack/commit/89df160596132e3bd666322e1c20b2ebd4b92cd0

https://launchpad.net/ubuntu/+source/wavpack/5.3.0-1ubuntu0.1

(Please also see ~~FS#68191~~ when updating it)

This task depends upon

Closed by Felix Yan (felixonmars)
Monday, 11 January 2021, 22:32 GMT
Reason for closing: Fixed
Additional comments about closing: 5.3.0-2

Comment by Jonas Witschel (diabonas) - Wednesday, 06 January 2021, 17:23 GMT

Applying commit 89df160596132e3bd666322e1c20b2ebd4b92cd0 is not enough to fix the issue, you need commits 63f3ec70129843dd64e11aa4c21c4a1cf00c9f1c and 89df160596132e3bd666322e1c20b2ebd4b92cd0, see https://github.com/dbry/WavPack/issues/91 and https://security.archlinux.org/CVE-2020-35738

Comment by T.J. Townsend (blakkheim) - Wednesday, 06 January 2021, 17:56 GMT

Attached diff with both commits for consideration.

wavpack.diff (1.5 KiB)

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#69234 - [wavpack] fix integer overflow CVE-2020-35738

Details

Loading...