Bug#853076: wavpack: CVE-2016-10169 CVE-2016-10170 CVE-2016-10171 CVE-2016-10172

Salvatore Bonaccorso carnil at debian.org
Sun Jan 29 15:45:02 UTC 2017

Source: wavpack
Version: 5.0.0-1
Severity: important
Tags: security upstream patch fixed-upstream


the following vulnerabilities were published for wavpack.

global buffer overread in read_code / read_words.c

heap out of bounds read in WriteCaffHeader / caff.c

heap out of bounds read in unreorder_channels / wvunpack.c

heap oob read in read_new_config_info / open_utils.c

They are all fixed by the same commit [4] upstream.

Unless I'm wrong, I think those issues would not warrant a DSA for
jessie, but could you please make the fix be included in stretch so
that we do not ship wavpack affected by these?

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-10169
[1] https://security-tracker.debian.org/tracker/CVE-2016-10170
[2] https://security-tracker.debian.org/tracker/CVE-2016-10171
[3] https://security-tracker.debian.org/tracker/CVE-2016-10172
[4] https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc

Please adjust the affected versions in the BTS as needed.

More information about the pkg-multimedia-maintainers mailing list