NVD Vulnerability Detail

CVE-2020-35738

Summary	WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples in pack_utils.c because of an integer overflow in a malloc argument. NOTE: some third-parties claim that there are later "unofficial" releases through 5.3.2, which are also affected.
Publication Date	Dec. 28, 2020, 1:15 p.m.
Registration Date	Jan. 26, 2021, 11:58 a.m.
Last Update	Nov. 21, 2024, 2:27 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:wavpack:wavpack:5.3.0:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Related information, measures and tools

No	URL	タグ
1	https://github.com/dbry/WavPack/issues/91	Exploit Patch Third Party Advisory
2	https://github.com/dbry/WavPack/issues/91	Exploit Patch Third Party Advisory
3	https://lists.debian.org/debian-lts-announce/2021/01/msg00013.html	Mailing List Third Party Advisory
4	https://lists.debian.org/debian-lts-announce/2021/01/msg00013.html	Mailing List Third Party Advisory
5	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2YZLKYE66EU4XRHTABV5LB2G7ZDZ422F/
6	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2YZLKYE66EU4XRHTABV5LB2G7ZDZ422F/
7	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/76B7K6F74FDQATG7FECXR5KPIG52O2VL/
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/76B7K6F74FDQATG7FECXR5KPIG52O2VL/
9	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PENN4ZXRPZULEJOYTTLUZMBZ5H46QTUC/
10	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PENN4ZXRPZULEJOYTTLUZMBZ5H46QTUC/
11	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VDFY4NGGDUTLVID5PNVU7LL2G2ZJLZFY/
12	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VDFY4NGGDUTLVID5PNVU7LL2G2ZJLZFY/

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-787	境界外書き込み	https://cwe.mitre.org/data/definitions/787.html
2	CWE-190	整数オーバーフローまたはラップアラウンド	https://cwe.mitre.org/data/definitions/190.html

JVN Vulnerability Information

WavPack における整数オーバーフローの脆弱性

Title	WavPack における整数オーバーフローの脆弱性
Summary	WavPack には、整数オーバーフローの脆弱性、および境界外書き込みに関する脆弱性が存在します。
Possible impacts	情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 27, 2020, midnight
Registration Date	Sept. 6, 2021, 5:23 p.m.
Last Update	Sept. 6, 2021, 5:23 p.m.

Affected System

Debian

Debian GNU/Linux

Fedora Project

Fedora

Wavpack project

Wavpack 5.3.0

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-35738	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35738
National Vulnerability Database (NVD)
2	CVE-2020-35738	https://nvd.nist.gov/vuln/detail/CVE-2020-35738

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-190	https://cwe.mitre.org/data/definitions/190.html
2	CWE-787	https://cwe.mitre.org/data/definitions/787.html

ベンダー情報

No	Name	URL
Debian
1	[SECURITY] [DLA 2525-1] wavpack security update	https://lists.debian.org/debian-lts-announce/2021/01/msg00013.html
Fedora Update Notification
2	FEDORA-2021-2e2fc2eac6	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/76B7K6F74FDQATG7FECXR5KPIG52O2VL/
3	FEDORA-2021-5c83efb61c	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2YZLKYE66EU4XRHTABV5LB2G7ZDZ422F/
4	FEDORA-2021-b7826fcedf	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDFY4NGGDUTLVID5PNVU7LL2G2ZJLZFY/
5	FEDORA-2021-de45e7bb88	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PENN4ZXRPZULEJOYTTLUZMBZ5H46QTUC/
GitHub
6	WavPack crashes with SEGFAULT #91	https://github.com/dbry/WavPack/issues/91

Change Log

No	Changed Details	Date of change
1	[2021年09月06日] 掲載	Sept. 6, 2021, 5:23 p.m.