ESB-2018.1437 - [Debian] wavpack: Multiple vulnerabilities 2018-05-10

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1437
                          wavpack security update
                                10 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           wavpack
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-10540 CVE-2018-10539 CVE-2018-10538
                   CVE-2018-10537 CVE-2018-10536 

Reference:         ESB-2018.1332

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4197

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4197-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 09, 2018                          https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : wavpack
CVE ID         : CVE-2018-10536 CVE-2018-10537 CVE-2018-10538 CVE-2018-10539 
                 CVE-2018-10540

Multiple vulnerabilities were discovered in the wavpack audio codec which
could result in denial of service or the execution of arbitrary code if
malformed media files are processed.

The oldstable distribution (jessie) is not affected.

For the stable distribution (stretch), these problems have been fixed in
version 5.0.0-2+deb9u2.

We recommend that you upgrade your wavpack packages.

For the detailed security status of wavpack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wavpack

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlrzPIAACgkQEMKTtsN8
TjatXhAAvWZolol6Pg9GRGJDAQRhStyBToLM3HK9L52XPMQOjdQ3WdsSXwsooHrM
r0i7cwSkM3ODsGZ4+ToQwbNTlvRKPpmjaI9w9BoKlnM2UVFziHaoJnmPQnlyk2Yb
pKm8/xRuhZ0JIDhOM9mhofM1p8GruLcOpdSkw7PkKFWvps0AREf/8TNtH0WTj9oY
jj4hxF2+7bRHBOY906ZKgRXjOsaaKussYt/qIETSibxewLPOcOhqKvfnQBWwgVkm
KesB6yOdx53voSqpH04fsEi+HGQhrnzS7cUUKRdUnlF68xe/9WE8ewbC8hF+Pddv
RYhi7cx2BWl4ibAyYbniD+7k9A6e0ReOWD1/A/dq+g13BniorVFOYcH6RRwDtWJN
oUU971UoN75+0aRjnj8ugfEY81l90c0oJtl09iCzwO5jIepMdj4GaaxFU7i5+y/u
CsKmv7tEvqXJFyIJwY28BbbYN0oY1meIlfgkMwqEHbWsIUPQrSzMlveBMpUhcG7k
2BgLqUR8haVqkq7jzLXzVtv1QArNp3NpllDXCc1SwpnbYmiJdTB9G4/kLJsVRscK
65Cxbergb7LEtWrUmyJq1Lc7yWO1cdaqhSQpxHzK1EhdKTKLzgzTZlT7a6M5zytI
g29ne535y9JmwNoJkQOJz0GxT7NFnr6+X/pL2fmu0630qj++RJA=
=P0EO
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWvPDcox+lLeg9Ub1AQh94w//fJTma/4iYQfimthunSsavhMcaYcUeJo7
Yksg0qOUaR8Pngu5+RIlOzFRODogWqM6sAxVooAqE6Pw8tKOEsMJavPqM6jCI72M
bUHmK/9PINurvoHArzN0x2DsjlhFpOCA65gjKDxr3rvjjwTdP5J/5hlkCPSatjZz
AXTGyDs/314eS9w0zxogz4+aDXoBHAsXz98/qNST7uW9l8EaCkHk0gksOEbcAxjC
2ZIC5MhBRLhcKqaxyrIT9A5iTXUQNs/IryaOqZ6/4XJDcdw28jCi9kTaIkUf2kbr
DoByQ6APM235smhwZ3DEXbkpTvDp1v8Q1tGNv/VqEBuDcslnZPNrrJX2Z18rMOrb
kUCNVEgB5gOduMrsd2uSjIcERbriPq+AJyDzGyCnHMMD6gRdR7/t7j3dIZZ2gcyf
cxTGWP7AXNieJFz4zBdgvwpqP6fFL/DAiB2004ooBPxK8wYyoVSjE3ivV7h63aKc
m0sPcY5Dj3QhDAj6YNyithbdxNIwq2QPXzebcNb9+efirL93irKxzAxlRliDVWR/
Jogs0mqAdg4vLjHSz8bNin6mVFYYCRNVOLt0yScSd9rBtXEQe0ifU1rvKtUFyMVT
mwgfPCBI9suHXB1RXGsitDG+Xh6j4R8PadZhxVwcata8eOd+2o2nNvuNCS5dOeKf
/9K2uviCzQQ=
=jJN3
-----END PGP SIGNATURE-----

« Back to bulletins