CVE-2019-1010317

MEDIUM

WavPack <5.1.0 - Use of Uninitialized Variable

Title source: llm

Description

WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b.

References (8)

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/dbry/WavPack/issues/66

[Patch, Third Party Advisory] https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b

View Patch ZIP pw:eip

[Third Party Advisory] https://usn.ubuntu.com/4062-1/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYESOAZ6Z6IG4BQBURL6OUY6P4YB6SKS/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IX3J2JML5A7KC2BLGBEFTIIZR3EM7LVJ/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFFFWIWALGQPKINRDW3PRGRD5LOLGZA/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRWQNE3TH5UF64IKHKKHVCHJHUOVKJUH/

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/01/msg00013.html

Scores

CVSS v3 5.5

EPSS 0.0147

EPSS Percentile 81.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE

CWE-457 CWE-908

Status published

Products (7)

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 19.04

debian/debian_linux 9.0

fedoraproject/fedora 29

fedoraproject/fedora 30

fedoraproject/fedora 31

wavpack/wavpack < 5.1.0

Published Jul 11, 2019

Tracked Since Feb 18, 2026