CVE-2022-2476

Upstream information

CVE-2022-2476 at MITRE

Description

A null pointer dereference bug was found in wavpack-5.4.0 The results from the ASAN log: AddressSanitizer:DEADLYSIGNAL ===================================================================84257==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x561b47a970c6 bp 0x7fff13952fb0 sp 0x7fff1394fca0 T0) ==84257==The signal is caused by a WRITE memory access. ==84257==Hint: address points to the zero page. #0 0x561b47a970c5 in main cli/wvunpack.c:834 #1 0x7efc4f5c0082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #2 0x561b47a945ed in _start (/usr/local/bin/wvunpack+0xa5ed) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV cli/wvunpack.c:834 in main ==84257==ABORTING

---

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having low severity.

CVSS v3 Scores

	National Vulnerability Database	SUSE
Base Score	5.5	3.3
Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Access Vector	Local	Local
Access Complexity	Low	Low
Privileges Required	None	None
User Interaction	Required	Required
Scope	Unchanged	Unchanged
Confidentiality Impact	None	None
Integrity Impact	None	None
Availability Impact	High	Low
CVSSv3 Version	3.1	3.1

SUSE Bugzilla entry: 1201716 [NEW]

SUSE Security Advisories:

• SUSE-SU-2022:2681-1, published Fri Aug 5 13:19:48 UTC 2022
• SUSE-SU-2022:2682-1, published Fri Aug 5 13:18:22 UTC 2022

List of released packages

Product(s)	Fixed package version(s)	References
Image SLES15-SP4-SAP Image SLES15-SP4-SAP-EC2 Image SLES15-SP4-SAPCAL Image SLES15-SP4-SAPCAL-EC2	libwavpack1 >= 5.4.0-150000.4.15.1
SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Storage 7.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.2	libwavpack1 >= 5.4.0-150000.4.15.1 wavpack >= 5.4.0-150000.4.15.1 wavpack-devel >= 5.4.0-150000.4.15.1	Patchnames: SUSE-SLE-Module-Basesystem-15-SP3-2022-2681 SUSE-SLE-Module-Desktop-Applications-15-SP3-2022-2681
SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3	libwavpack1 >= 5.4.0-150000.4.15.1 wavpack >= 5.4.0-150000.4.15.1 wavpack-devel >= 5.4.0-150000.4.15.1	Patchnames: SUSE-SLE-Module-Basesystem-15-SP4-2022-2681 SUSE-SLE-Module-Desktop-Applications-15-SP4-2022-2681
SUSE Linux Enterprise Module for Basesystem 15 SP3	libwavpack1 >= 5.4.0-150000.4.15.1	Patchnames: SUSE-SLE-Module-Basesystem-15-SP3-2022-2681
SUSE Linux Enterprise Module for Basesystem 15 SP4	libwavpack1 >= 5.4.0-150000.4.15.1	Patchnames: SUSE-SLE-Module-Basesystem-15-SP4-2022-2681
SUSE Linux Enterprise Module for Desktop Applications 15 SP3	wavpack >= 5.4.0-150000.4.15.1 wavpack-devel >= 5.4.0-150000.4.15.1	Patchnames: SUSE-SLE-Module-Desktop-Applications-15-SP3-2022-2681
SUSE Linux Enterprise Module for Desktop Applications 15 SP4	wavpack >= 5.4.0-150000.4.15.1 wavpack-devel >= 5.4.0-150000.4.15.1	Patchnames: SUSE-SLE-Module-Desktop-Applications-15-SP4-2022-2681
SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5	libwavpack1 >= 4.60.99-5.12.1 wavpack >= 4.60.99-5.12.1 wavpack-devel >= 4.60.99-5.12.1	Patchnames: SUSE-SLE-SDK-12-SP5-2022-2682 SUSE-SLE-SERVER-12-SP5-2022-2682
SUSE Linux Enterprise Software Development Kit 12 SP5	wavpack >= 4.60.99-5.12.1 wavpack-devel >= 4.60.99-5.12.1	Patchnames: SUSE-SLE-SDK-12-SP5-2022-2682
openSUSE Leap 15.3	libwavpack1 >= 5.4.0-150000.4.15.1 libwavpack1-32bit >= 5.4.0-150000.4.15.1 wavpack >= 5.4.0-150000.4.15.1 wavpack-devel >= 5.4.0-150000.4.15.1	Patchnames: openSUSE-SLE-15.3-2022-2681
openSUSE Leap 15.4	libwavpack1 >= 5.4.0-150000.4.15.1 libwavpack1-32bit >= 5.4.0-150000.4.15.1 wavpack >= 5.4.0-150000.4.15.1 wavpack-devel >= 5.4.0-150000.4.15.1	Patchnames: openSUSE-SLE-15.4-2022-2681

---

Status of this issue by product and package

Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification.

Product(s)	Source package	State
SUSE CaaS Platform 4.0	wavpack	In progress
SUSE Enterprise Storage 6	wavpack	In progress
SUSE Enterprise Storage 7	wavpack	In progress
SUSE Linux Enterprise Desktop 15 SP3	wavpack	Released
SUSE Linux Enterprise Desktop 15 SP4	wavpack	Released
SUSE Linux Enterprise High Performance Computing 12 SP5	wavpack	Released
SUSE Linux Enterprise High Performance Computing 15 LTSS	wavpack	In progress
SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS	wavpack	In progress
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS	wavpack	In progress
SUSE Linux Enterprise High Performance Computing 15 SP2 ESPOS	wavpack	In progress
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS	wavpack	In progress
SUSE Linux Enterprise High Performance Computing 15 SP3	wavpack	Released
SUSE Linux Enterprise High Performance Computing 15 SP4	wavpack	Released
SUSE Linux Enterprise Module for Basesystem 15 SP3	wavpack	Released
SUSE Linux Enterprise Module for Basesystem 15 SP4	wavpack	Released
SUSE Linux Enterprise Module for Desktop Applications 15 SP3	wavpack	Released
SUSE Linux Enterprise Module for Desktop Applications 15 SP4	wavpack	Released
SUSE Linux Enterprise Server 12 SP2 BCL	wavpack	In progress
SUSE Linux Enterprise Server 12 SP3 BCL	wavpack	In progress
SUSE Linux Enterprise Server 12 SP4 ESPOS	wavpack	In progress
SUSE Linux Enterprise Server 12 SP4 LTSS	wavpack	In progress
SUSE Linux Enterprise Server 12 SP5	wavpack	Released
SUSE Linux Enterprise Server 15 ESPOS	wavpack	In progress
SUSE Linux Enterprise Server 15 LTSS	wavpack	In progress
SUSE Linux Enterprise Server 15 SP1 LTSS	wavpack	In progress
SUSE Linux Enterprise Server 15 SP2 LTSS	wavpack	In progress
SUSE Linux Enterprise Server 15 SP3	wavpack	Released
SUSE Linux Enterprise Server 15 SP4	wavpack	Released
SUSE Linux Enterprise Server Business Critical Linux 15 SP1	wavpack	In progress
SUSE Linux Enterprise Server Business Critical Linux 15 SP2	wavpack	In progress
SUSE Linux Enterprise Server for SAP Applications 12 SP4	wavpack	In progress
SUSE Linux Enterprise Server for SAP Applications 12 SP5	wavpack	Released
SUSE Linux Enterprise Server for SAP Applications 15	wavpack	In progress
SUSE Linux Enterprise Server for SAP Applications 15 SP1	wavpack	In progress
SUSE Linux Enterprise Server for SAP Applications 15 SP2	wavpack	In progress
SUSE Linux Enterprise Server for SAP Applications 15 SP3	wavpack	Released
SUSE Linux Enterprise Server for SAP Applications 15 SP4	wavpack	Released
SUSE Linux Enterprise Software Development Kit 12 SP5	wavpack	Released
SUSE Linux Enterprise Storage 7.1	wavpack	Released
SUSE Manager Proxy 4.1	wavpack	In progress
SUSE Manager Proxy 4.2	wavpack	Released
SUSE Manager Proxy 4.3	wavpack	Released
SUSE Manager Retail Branch Server 4.1	wavpack	In progress
SUSE Manager Retail Branch Server 4.2	wavpack	Released
SUSE Manager Retail Branch Server 4.3	wavpack	Released
SUSE Manager Server 4.1	wavpack	In progress
SUSE Manager Server 4.2	wavpack	Released
SUSE Manager Server 4.3	wavpack	Released
SUSE OpenStack Cloud 9	wavpack	In progress
SUSE OpenStack Cloud Crowbar 9	wavpack	In progress