CVE-2018-19840

Published: 04 December 2018

The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero.

Priority

Medium

CVSS 3 base score: 5.5

Status

Package Release Status
wavpack
Launchpad, Ubuntu, Debian
Upstream
Released (5.1.0-5)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (5.1.0-2ubuntu1.2)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.75.2-2ubuntu0.2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [4.70.0-1ubuntu0.2])
Patches:
Upstream: https://github.com/dbry/WavPack/commit/070ef6f138956d9ea9612e69586152339dbefe51