pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1832c75415
vuln-list-alt/oval/c9f2/ALT-PU-2023-1392/definitions.json
pepelyaevip 9e8a5a2bb2 ALT Vulnerability
2024-02-14 09:47:22 +00:00

361 lines
19 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20231392",
"Version": "oval:org.altlinux.errata:def:20231392",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2023-1392: package `wavpack` update to version 5.6.0-alt1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c9f2"
],
"Products": [
"ALT SPWorkstation",
"ALT SPServer"
]
}
],
"References": [
{
"RefID": "ALT-PU-2023-1392",
"RefURL": "https://errata.altlinux.org/ALT-PU-2023-1392",
"Source": "ALTPU"
},
{
"RefID": "BDU:2021-03438",
"RefURL": "https://bdu.fstec.ru/vul/2021-03438",
"Source": "BDU"
},
{
"RefID": "BDU:2021-03439",
"RefURL": "https://bdu.fstec.ru/vul/2021-03439",
"Source": "BDU"
},
{
"RefID": "BDU:2021-03440",
"RefURL": "https://bdu.fstec.ru/vul/2021-03440",
"Source": "BDU"
},
{
"RefID": "BDU:2021-03448",
"RefURL": "https://bdu.fstec.ru/vul/2021-03448",
"Source": "BDU"
},
{
"RefID": "BDU:2021-03452",
"RefURL": "https://bdu.fstec.ru/vul/2021-03452",
"Source": "BDU"
},
{
"RefID": "BDU:2021-03455",
"RefURL": "https://bdu.fstec.ru/vul/2021-03455",
"Source": "BDU"
},
{
"RefID": "CVE-2018-10536",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-10536",
"Source": "CVE"
},
{
"RefID": "CVE-2018-10537",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-10537",
"Source": "CVE"
},
{
"RefID": "CVE-2018-10538",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-10538",
"Source": "CVE"
},
{
"RefID": "CVE-2018-10539",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-10539",
"Source": "CVE"
},
{
"RefID": "CVE-2018-10540",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-10540",
"Source": "CVE"
},
{
"RefID": "CVE-2018-19840",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-19840",
"Source": "CVE"
},
{
"RefID": "CVE-2018-19841",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-19841",
"Source": "CVE"
},
{
"RefID": "CVE-2018-6767",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-6767",
"Source": "CVE"
},
{
"RefID": "CVE-2018-7253",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-7253",
"Source": "CVE"
},
{
"RefID": "CVE-2018-7254",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-7254",
"Source": "CVE"
},
{
"RefID": "CVE-2019-1010315",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010315",
"Source": "CVE"
},
{
"RefID": "CVE-2019-1010317",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010317",
"Source": "CVE"
},
{
"RefID": "CVE-2019-1010319",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010319",
"Source": "CVE"
},
{
"RefID": "CVE-2019-11498",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-11498",
"Source": "CVE"
}
],
"Description": "This update upgrades wavpack to version 5.6.0-alt1. \nSecurity Fix(es):\n\n * BDU:2021-03438: Уязвимость функции ParseDsdiffHeaderConfig компонента dsdiff.c аудиокодека WavPack, связанная с делением на ноль, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-03439: Уязвимость функции ParseCaffHeaderConfig компонента caff.c аудиокодека WavPack, связанная с использованием неинициализированных ранее переменных, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-03440: Уязвимость функции ParseWave64HeaderConfig компонента wave64.c аудиокодека WavPack, связанная с использованием неинициализированных ранее переменных, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-03448: Уязвимость функции WavpackSetConfiguration64 компонента pack_utils.c аудиокодека WavPack, связанная с доступом к неинициализированному указателю, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-03452: Уязвимость функции WavpackPackInit компонента pack_utils.c аудиокодека WavPack, связанная с бесконечной работой цикла, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-03455: Уязвимость функции WavpackVerifySingleBlock компонента open_utils.c аудиокодека WavPack, связанная с чтением за допустимыми границами буфера данных, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2018-10536: An issue was discovered in WavPack 5.1.0 and earlier. The WAV parser component contains a vulnerability that allows writing to memory because ParseRiffHeaderConfig in riff.c does not reject multiple format chunks.\n\n * CVE-2018-10537: An issue was discovered in WavPack 5.1.0 and earlier. The W64 parser component contains a vulnerability that allows writing to memory because ParseWave64HeaderConfig in wave64.c does not reject multiple format chunks.\n\n * CVE-2018-10538: An issue was discovered in WavPack 5.1.0 and earlier for WAV input. Out-of-bounds writes can occur because ParseRiffHeaderConfig in riff.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation.\n\n * CVE-2018-10539: An issue was discovered in WavPack 5.1.0 and earlier for DSDiff input. Out-of-bounds writes can occur because ParseDsdiffHeaderConfig in dsdiff.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation.\n\n * CVE-2018-10540: An issue was discovered in WavPack 5.1.0 and earlier for W64 input. Out-of-bounds writes can occur because ParseWave64HeaderConfig in wave64.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation.\n\n * CVE-2018-19840: The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero.\n\n * CVE-2018-19841: The function WavpackVerifySingleBlock in open_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (out-of-bounds read and application crash) via a crafted WavPack Lossless Audio file, as demonstrated by wvunpack.\n\n * CVE-2018-6767: A stack-based buffer over-read in the ParseRiffHeaderConfig function of cli/riff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service attack or possibly have unspecified other impact via a maliciously crafted RF64 file.\n\n * CVE-2018-7253: The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (heap-based buffer over-read) or possibly overwrite the heap via a maliciously crafted DSDIFF file.\n\n * CVE-2018-7254: The ParseCaffHeaderConfig function of the cli/caff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (global buffer over-read), or possibly trigger a buffer overflow or incorrect memory allocation, via a maliciously crafted CAF file.\n\n * CVE-2019-1010315: WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The impact is: Divide by zero can lead to sudden crash of a software/service that tries to parse a .wav file. The component is: ParseDsdiffHeaderConfig (dsdiff.c:282). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc.\n\n * CVE-2019-1010317: WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b.\n\n * CVE-2019-1010319: WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseWave64HeaderConfig (wave64.c:211). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe.\n\n * CVE-2019-11498: WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through 5.1.0 has a \"Conditional jump or move depends on uninitialised value\" condition, which might allow attackers to cause a denial of service (application crash) via a DFF file that lacks valid sample-rate data.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2023-03-07"
},
"Updated": {
"Date": "2023-03-07"
},
"bdu": [
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"Cwe": "CWE-369",
"Href": "https://bdu.fstec.ru/vul/2021-03438",
"Impact": "Low",
"Public": "20190303",
"CveID": "BDU:2021-03438"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"Cwe": "CWE-908",
"Href": "https://bdu.fstec.ru/vul/2021-03439",
"Impact": "Low",
"Public": "20190304",
"CveID": "BDU:2021-03439"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"Cwe": "CWE-908",
"Href": "https://bdu.fstec.ru/vul/2021-03440",
"Impact": "Low",
"Public": "20190305",
"CveID": "BDU:2021-03440"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"Cwe": "CWE-824",
"Href": "https://bdu.fstec.ru/vul/2021-03448",
"Impact": "Low",
"Public": "20190304",
"CveID": "BDU:2021-03448"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"Cwe": "CWE-835",
"Href": "https://bdu.fstec.ru/vul/2021-03452",
"Impact": "Low",
"Public": "20181126",
"CveID": "BDU:2021-03452"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"Cvss3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"Cwe": "CWE-125",
"Href": "https://bdu.fstec.ru/vul/2021-03455",
"Impact": "Low",
"Public": "20181129",
"CveID": "BDU:2021-03455"
}
],
"Cves": [
{
"Cvss": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"Cvss3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"Cwe": "CWE-787",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-10536",
"Impact": "High",
"Public": "20180429",
"CveID": "CVE-2018-10536"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"Cvss3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"Cwe": "CWE-119",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-10537",
"Impact": "High",
"Public": "20180429",
"CveID": "CVE-2018-10537"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"Cvss3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"Cwe": "CWE-787",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-10538",
"Impact": "Low",
"Public": "20180429",
"CveID": "CVE-2018-10538"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"Cvss3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"Cwe": "CWE-787",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-10539",
"Impact": "Low",
"Public": "20180429",
"CveID": "CVE-2018-10539"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"Cvss3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"Cwe": "CWE-787",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-10540",
"Impact": "Low",
"Public": "20180429",
"CveID": "CVE-2018-10540"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"Cvss3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"Cwe": "CWE-835",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-19840",
"Impact": "Low",
"Public": "20181204",
"CveID": "CVE-2018-19840"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"Cwe": "CWE-125",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-19841",
"Impact": "Low",
"Public": "20181204",
"CveID": "CVE-2018-19841"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"Cvss3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"Cwe": "CWE-125",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-6767",
"Impact": "High",
"Public": "20180206",
"CveID": "CVE-2018-6767"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"Cvss3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"Cwe": "CWE-125",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-7253",
"Impact": "High",
"Public": "20180219",
"CveID": "CVE-2018-7253"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"Cvss3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"Cwe": "CWE-125",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-7254",
"Impact": "High",
"Public": "20180219",
"CveID": "CVE-2018-7254"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"Cwe": "CWE-369",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010315",
"Impact": "Low",
"Public": "20190711",
"CveID": "CVE-2019-1010315"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"Cwe": "CWE-908",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010317",
"Impact": "Low",
"Public": "20190711",
"CveID": "CVE-2019-1010317"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"Cvss3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"Cwe": "CWE-908",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010319",
"Impact": "Low",
"Public": "20190711",
"CveID": "CVE-2019-1010319"
},
{
"Cvss": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"Cwe": "CWE-824",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-11498",
"Impact": "Low",
"Public": "20190424",
"CveID": "CVE-2019-11498"
}
],
"AffectedCpeList": {
"Cpe": [
"cpe:/o:alt:spworkstation:8.4",
"cpe:/o:alt:spserver:8.4"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20231392001",
"Comment": "libwavpack is earlier than 0:5.6.0-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20231392002",
"Comment": "libwavpack-devel is earlier than 0:5.6.0-alt1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20231392003",
"Comment": "wavpack is earlier than 0:5.6.0-alt1"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink