Source: wavpack X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for wavpack. CVE-2022-2476[0]: | A null pointer dereference bug was found in wavpack-5.4.0 The results | from the ASAN log: AddressSanitizer:DEADLYSIGNAL ===================== | ==============================================84257==ERROR: | AddressSanitizer: SEGV on unknown address 0x000000000000 (pc | 0x561b47a970c6 bp 0x7fff13952fb0 sp 0x7fff1394fca0 T0) ==84257==The | signal is caused by a WRITE memory access. ==84257==Hint: address | points to the zero page. #0 0x561b47a970c5 in main cli/wvunpack.c:834 | #1 0x7efc4f5c0082 in __libc_start_main (/lib/x86_64-linux- | gnu/libc.so.6+0x24082) #2 0x561b47a945ed in _start | (/usr/local/bin/wvunpack+0xa5ed) AddressSanitizer can not provide | additional info. SUMMARY: AddressSanitizer: SEGV cli/wvunpack.c:834 in | main ==84257==ABORTING https://github.com/dbry/WavPack/issues/121 https://github.com/dbry/WavPack/commit/25b4a2725d8568212e7cf89ca05ca29d128af7ac If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-2476 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2476 Please adjust the affected versions in the BTS as needed.