CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
87.8%
Severity: High
Date : 2018-02-23
CVE-ID : CVE-2018-6767 CVE-2018-7253 CVE-2018-7254
Package : wavpack
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-631
The package wavpack before version 5.1.0-2 is vulnerable to arbitrary
code execution.
Upgrade to 5.1.0-2.
The problems have been fixed upstream in version 5.1.0.
None.
A stack-based buffer over-read in the ParseRiffHeaderConfig function of
cli/riff.c file of WavPack 5.1.0 allows a remote attacker to cause a
denial-of-service attack or possibly have unspecified other impact via
a maliciously crafted RF64 file.
The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of
WavPack 5.1.0 allows a remote attacker to cause a denial-of-service
(heap-based buffer over-read) or possibly overwrite the heap via a
maliciously crafted DSDIFF file.
The ParseCaffHeaderConfig function of the cli/caff.c file of WavPack
5.1.0 allows a remote attacker to cause a denial-of-service (global
buffer over-read), or possibly trigger a buffer overflow or incorrect
memory allocation, via a maliciously crafted CAF file.
A remote attacker is able to execute arbitrary code on the affected
host via maliciously crafted files.
https://bugs.archlinux.org/task/57609
https://github.com/dbry/WavPack/commit/d5bf76b5a88d044a1be1d5656698e3ba737167e5
https://github.com/dbry/WavPack/issues/27
https://github.com/dbry/WavPack/commit/36a24c7881427d2e1e4dc1cef58f19eee0d13aec
https://github.com/dbry/WavPack/issues/28
https://github.com/dbry/WavPack/commit/8e3fe45a7bac31d9a3b558ae0079e2d92a04799e
https://github.com/dbry/WavPack/issues/26
https://security.archlinux.org/CVE-2018-6767
https://security.archlinux.org/CVE-2018-7253
https://security.archlinux.org/CVE-2018-7254
bugs.archlinux.org/task/57609
github.com/dbry/WavPack/commit/36a24c7881427d2e1e4dc1cef58f19eee0d13aec
github.com/dbry/WavPack/commit/8e3fe45a7bac31d9a3b558ae0079e2d92a04799e
github.com/dbry/WavPack/commit/d5bf76b5a88d044a1be1d5656698e3ba737167e5
github.com/dbry/WavPack/issues/26
github.com/dbry/WavPack/issues/27
github.com/dbry/WavPack/issues/28
security.archlinux.org/AVG-631
security.archlinux.org/CVE-2018-6767
security.archlinux.org/CVE-2018-7253
security.archlinux.org/CVE-2018-7254
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
87.8%