SB2019090513 - OpenSUSE Linux update for wavpack
Published: September 5, 2019
Security Bulletin ID
SB2019090513
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper Initialization (CVE-ID: CVE-2019-1010319)
The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on the targeted system.
The vulnerability exists due to an uninitialized read condition in the "ParseWave64HeaderConfig()" function in "wave64.c" file when parsing .wav files. A remote attacker can trick a victim to open a specially crafted .wav file and crash the affected application.
2) Input validation error (CVE-ID: CVE-2019-11498)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the WavpackSetConfiguration64() function in the pack_utils.c file within the libwavpack.a. A remote attacker can trick the victim to open a specially crafted DFF file that lacks valid sample-rate data and crash the affected application.
Remediation
Install update from vendor's website.