Bug#853076: wavpack: CVE-2016-10169 CVE-2016-10170 CVE-2016-10171 CVE-2016-10172
carnil at debian.org
Sun Jan 29 15:45:02 UTC 2017
Tags: security upstream patch fixed-upstream
the following vulnerabilities were published for wavpack.
global buffer overread in read_code / read_words.c
heap out of bounds read in WriteCaffHeader / caff.c
heap out of bounds read in unreorder_channels / wvunpack.c
heap oob read in read_new_config_info / open_utils.c
They are all fixed by the same commit  upstream.
Unless I'm wrong, I think those issues would not warrant a DSA for
jessie, but could you please make the fix be included in stretch so
that we do not ship wavpack affected by these?
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
Please adjust the affected versions in the BTS as needed.
More information about the pkg-multimedia-maintainers