CVE-2020-35738: Integer Overflow
First published: Mon Dec 28 2020(Updated: )
WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples in pack_utils.c because of an integer overflow in a malloc argument. NOTE: some third-parties claim that there are later "unofficial" releases through 5.3.2, which are also affected.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| libwavpack1 | =5.3.0 | |
| Debian | =9.0 | |
| Fedora | =32 | |
| Fedora | =33 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/dbry/WavPack/issues/91
- https://lists.debian.org/debian-lts-announce/2021/01/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2YZLKYE66EU4XRHTABV5LB2G7ZDZ422F/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/76B7K6F74FDQATG7FECXR5KPIG52O2VL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PENN4ZXRPZULEJOYTTLUZMBZ5H46QTUC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDFY4NGGDUTLVID5PNVU7LL2G2ZJLZFY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2YZLKYE66EU4XRHTABV5LB2G7ZDZ422F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PENN4ZXRPZULEJOYTTLUZMBZ5H46QTUC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/76B7K6F74FDQATG7FECXR5KPIG52O2VL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VDFY4NGGDUTLVID5PNVU7LL2G2ZJLZFY/
Frequently Asked Questions
What is the severity of CVE-2020-35738?
CVE-2020-35738 is considered a high-severity vulnerability due to its potential for causing out-of-bounds write conditions.
How do I fix CVE-2020-35738?
To fix CVE-2020-35738, you should update WavPack to version 5.3.2 or later, if applicable.
Which versions of WavPack are affected by CVE-2020-35738?
CVE-2020-35738 affects WavPack version 5.3.0 and may also impact unofficial releases through version 5.3.2.
What are the consequences of exploiting CVE-2020-35738?
Exploitation of CVE-2020-35738 could lead to arbitrary code execution or application crashes due to memory corruption.
Which operating systems are vulnerable to CVE-2020-35738?
CVE-2020-35738 affects WavPack on various operating systems including Debian 9.0 and Fedora versions 32 and 33.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/last-modified-date
- agent/remedy
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/weakness
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/wavpack
- canonical/libwavpack1
- version/libwavpack1/5.3.0
- vendor/debian
- canonical/debian
- version/debian/9.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/32
- version/fedora/33