Alpine: multiple wavpack packages: security update to 5.1.0-r3

high Tenable Cloud Security Plugin ID 427478

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A stack-based buffer over-read in the ParseRiffHeaderConfig function of cli/riff.c file of WavPack 5.1.0
allows a remote attacker to cause a denial-of-service attack or possibly have unspecified other impact via
a maliciously crafted RF64 file. (CVE-2018-6767)

- The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of WavPack 5.1.0 allows a remote attacker to
cause a denial-of-service (heap-based buffer over-read) or possibly overwrite the heap via a maliciously
crafted DSDIFF file. (CVE-2018-7253)

- The ParseCaffHeaderConfig function of the cli/caff.c file of WavPack 5.1.0 allows a remote attacker to
cause a denial-of-service (global buffer over-read), or possibly trigger a buffer overflow or incorrect
memory allocation, via a maliciously crafted CAF file. (CVE-2018-7254)

- The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to
cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file
because WavpackSetConfiguration64 mishandles a sample rate of zero. (CVE-2018-19840)

- The function WavpackVerifySingleBlock in open_utils.c in libwavpack.a in WavPack through 5.1.0 allows
attackers to cause a denial-of-service (out-of-bounds read and application crash) via a crafted WavPack
Lossless Audio file, as demonstrated by wvunpack. (CVE-2018-19841)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-19840

https://security.alpinelinux.org/vuln/CVE-2018-19841

https://security.alpinelinux.org/vuln/CVE-2018-6767

https://security.alpinelinux.org/vuln/CVE-2018-7253

https://security.alpinelinux.org/vuln/CVE-2018-7254

Plugin Details

Severity: High

ID: 427478

Version: Revision 1.3

Type: Local

Published: 5/16/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-7254

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/6/2018

Reference Information

CVE: CVE-2018-19840, CVE-2018-19841, CVE-2018-6767, CVE-2018-7253, CVE-2018-7254