Low: wavpack

Issue Overview:

A null pointer dereference bug was found in wavpack-5.4.0 The results from the ASAN log: AddressSanitizer:DEADLYSIGNAL ===================================================================84257==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x561b47a970c6 bp 0x7fff13952fb0 sp 0x7fff1394fca0 T0) ==84257==The signal is caused by a WRITE memory access. ==84257==Hint: address points to the zero page. #0 0x561b47a970c5 in main cli/wvunpack.c:834 #1 0x7efc4f5c0082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #2 0x561b47a945ed in _start (/usr/local/bin/wvunpack+0xa5ed) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV cli/wvunpack.c:834 in main ==84257==ABORTING (CVE-2022-2476)

Affected Packages:

wavpack

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update wavpack to update your system.

New Packages:

aarch64:  
    wavpack-4.60.1-9.amzn2.0.3.aarch64  
    wavpack-devel-4.60.1-9.amzn2.0.3.aarch64  
    wavpack-debuginfo-4.60.1-9.amzn2.0.3.aarch64  
  
i686:  
    wavpack-4.60.1-9.amzn2.0.3.i686  
    wavpack-devel-4.60.1-9.amzn2.0.3.i686  
    wavpack-debuginfo-4.60.1-9.amzn2.0.3.i686  
  
src:  
    wavpack-4.60.1-9.amzn2.0.3.src  
  
x86_64:  
    wavpack-4.60.1-9.amzn2.0.3.x86_64  
    wavpack-devel-4.60.1-9.amzn2.0.3.x86_64  
    wavpack-debuginfo-4.60.1-9.amzn2.0.3.x86_64  

Additional References

Red Hat: CVE-2022-2476

Mitre: CVE-2022-2476