Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#69234 - [wavpack] fix integer overflow CVE-2020-35738
Attached to Project:
Arch Linux
Opened by T.J. Townsend (blakkheim) - Wednesday, 06 January 2021, 16:37 GMT
Last edited by Felix Yan (felixonmars) - Monday, 11 January 2021, 22:32 GMT
Opened by T.J. Townsend (blakkheim) - Wednesday, 06 January 2021, 16:37 GMT
Last edited by Felix Yan (felixonmars) - Monday, 11 January 2021, 22:32 GMT
|
DetailsDescription:
The WavPack package is currently vulnerable to an integer overflow that has been fixed upstream: https://github.com/dbry/WavPack/commit/89df160596132e3bd666322e1c20b2ebd4b92cd0 https://launchpad.net/ubuntu/+source/wavpack/5.3.0-1ubuntu0.1 (Please also see |
This task depends upon
Closed by Felix Yan (felixonmars)
Monday, 11 January 2021, 22:32 GMT
Reason for closing: Fixed
Additional comments about closing: 5.3.0-2
Monday, 11 January 2021, 22:32 GMT
Reason for closing: Fixed
Additional comments about closing: 5.3.0-2
Comment by Jonas Witschel (diabonas) -
Wednesday, 06 January 2021, 17:23 GMT
Applying commit 89df160596132e3bd666322e1c20b2ebd4b92cd0 is not enough to fix the issue, you need commits 63f3ec70129843dd64e11aa4c21c4a1cf00c9f1c and 89df160596132e3bd666322e1c20b2ebd4b92cd0, see https://github.com/dbry/WavPack/issues/91 and https://security.archlinux.org/CVE-2020-35738
Comment by T.J. Townsend (blakkheim) -
Wednesday, 06 January 2021, 17:56 GMT
Attached diff with both commits for consideration.
wavpack.diff
(1.5 KiB)