CVE-2022-2476

2022-07-1920:15:11

Debian Security Bug Tracker

security-tracker.debian.org

cve-2022-2476

wavpack-5.4.0

null pointer

segv

unknown address

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

36.0%

JSON

A null pointer dereference bug was found in wavpack-5.4.0 The results from the ASAN log: AddressSanitizer:DEADLYSIGNAL ===================================================================84257==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x561b47a970c6 bp 0x7fff13952fb0 sp 0x7fff1394fca0 T0) ==84257==The signal is caused by a WRITE memory access. ==84257==Hint: address points to the zero page. #0 0x561b47a970c5 in main cli/wvunpack.c:834 #1 0x7efc4f5c0082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #2 0x561b47a945ed in _start (/usr/local/bin/wvunpack+0xa5ed) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV cli/wvunpack.c:834 in main ==84257==ABORTING

OSVersionArchitecturePackageVersionFilename
Debian12allwavpack< 5.5.0-1wavpack_5.5.0-1_all.deb
Debian11allwavpack<= 5.4.0-1wavpack_5.4.0-1_all.deb
Debian999allwavpack< 5.5.0-1wavpack_5.5.0-1_all.deb
Debian13allwavpack< 5.5.0-1wavpack_5.5.0-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	wavpack	< 5.5.0-1	wavpack_5.5.0-1_all.deb
Debian	11	all	wavpack	<= 5.4.0-1	wavpack_5.4.0-1_all.deb
Debian	999	all	wavpack	< 5.5.0-1	wavpack_5.5.0-1_all.deb
Debian	13	all	wavpack	< 5.5.0-1	wavpack_5.5.0-1_all.deb