Amazon Linux 2 Security Advisory: ALAS-2023-2213
Advisory Release Date: 2023-08-17 11:58 Pacific
Advisory Updated Date: 2023-08-23 00:18 Pacific
A null pointer dereference bug was found in wavpack-5.4.0 The results from the ASAN log: AddressSanitizer:DEADLYSIGNAL ===================================================================84257==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x561b47a970c6 bp 0x7fff13952fb0 sp 0x7fff1394fca0 T0) ==84257==The signal is caused by a WRITE memory access. ==84257==Hint: address points to the zero page. #0 0x561b47a970c5 in main cli/wvunpack.c:834 #1 0x7efc4f5c0082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #2 0x561b47a945ed in _start (/usr/local/bin/wvunpack+0xa5ed) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV cli/wvunpack.c:834 in main ==84257==ABORTING (CVE-2022-2476)
Affected Packages:
wavpack
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update wavpack to update your system.
aarch64:
wavpack-4.60.1-9.amzn2.0.3.aarch64
wavpack-devel-4.60.1-9.amzn2.0.3.aarch64
wavpack-debuginfo-4.60.1-9.amzn2.0.3.aarch64
i686:
wavpack-4.60.1-9.amzn2.0.3.i686
wavpack-devel-4.60.1-9.amzn2.0.3.i686
wavpack-debuginfo-4.60.1-9.amzn2.0.3.i686
src:
wavpack-4.60.1-9.amzn2.0.3.src
x86_64:
wavpack-4.60.1-9.amzn2.0.3.x86_64
wavpack-devel-4.60.1-9.amzn2.0.3.x86_64
wavpack-debuginfo-4.60.1-9.amzn2.0.3.x86_64