Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: WavPack 5.2.0 Release (Read 8046 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

WavPack 5.2.0 Release

A few days ago I finished up a new WavPack release. The primary motivation for this was to include fixes for ten CVEs that have been filed since the previous version was made almost three years ago. Fortunately most of the CVEs are completely harmless (unexploitable) and the few that might have exploits only affect the command-line encoder (wavpack.exe), not the library. However, when I discovered that distro maintainers were backporting these fixes into older revisions of WavPack (because it's not their job to evaluate the potential threat of a CVE) I decided I must get a new release out ASAP.

There also are three years of minor fixes in there, including two bugs that might affect Foobar2000 users: verify (-v) failing with hybrid lossless mode from stdin source and fixing WAV headers when ignoring length (-i) mode is used.

Finally, in other news, WavPack is now using Travis CI for build verification, has support for CMake, and has been accepted and running in Google's OSS-fuzz project.

I have not updated the official website yet, but all the packages and binaries are posted on GitHub.

Changes:
  • fixed: potential security issues including the following CVEs:
             CVE-2018-19840 CVE-2018-19841 CVE-2018-10536
             CVE-2018-10537 CVE-2018-10538 CVE-2018-10539
             CVE-2018-10540 CVE-2018-7254  CVE-2018-7253
             CVE-2018-6767
  • added: support for CMake, Travis CI, and Google's OSS-fuzz
  • fixed: use correction file for encode verify (pipe input, Windows)
  • fixed: correct WAV header with actual length (pipe input, -i option)
  • fixed: thumb interworking and not needing v6 architecture (ARM asm)
  • added: handle more ID3v2.3 tag items and from all file types
  • fixed: coredump on Sparc64 (changed MD5 implementation)
  • fixed: handle invalid ID3v2.3 tags from sacd-ripper
  • fixed: several corner-case memory leaks

Thanks so much to all the people who helped on WavPack over the last three years, and of course thanks to all the users!

Re: WavPack 5.2.0 Release

Reply #1
Thanks for the new relase ....
It has not yet been included in the Ubuntu repositories because I see that there is 5.1
Thank you

Re: WavPack 5.2.0 Release

Reply #2
Ubuntu will probably rather backport the security changes, instead of updating it. At least if you're on LTS.

Re: WavPack 5.2.0 Release

Reply #3
I have the 18.04 LTS

 

Re: WavPack 5.2.0 Release

Reply #4
The security fixes have been patched in the 5.1.0-2ubuntu1.4 version that goes with Ubuntu 18.04. See here. That was in July.

The only thing in the new release that might be useful on Ubuntu would be the improved ID3v2 tag importing which can now be used with all file types, handles a lot more fields, and handles the corrupt tags made by sacd_ripper. If you want those improvements you need to build from source and install because as kode54 says, they're not likely to bring 5.2.0 into an LTS.


Re: WavPack 5.2.0 Release

Reply #5
Or you can wait until next year, when 20.04 is due. Of course, your distribution won't offer to automatically upgrade to it until it reaches 20.04.1.

Re: WavPack 5.2.0 Release

Reply #6

If you want those improvements you need to build from source and install because as kode54 says, they're not likely to bring 5.2.0 into an LTS.
Well, those improvements would be useful to me but I don't know how to install them, in fact I noticed that many tags from the dsf are not imported, patience I will wait for the release of the new LTS in April where I hope there is the default 5.2
Thank you



Re: WavPack 5.2.0 Release

Reply #7
Even if you're not comfortable building and installing the new version, there's no reason to wait until the next LTS, especially since there's no guarantee they'll update to 5.2.0 then.

I created a static build of the executables for Ubuntu that should work fine on your system, and since they include the library you don't have to worry about anything getting messed up. Just copy them (as root) into /usr/local/bin and bash will pick them up first (the installed versions should be in /usr/bin). You might have to restart the shell or do a hash -r command to use them the first time.

If they don't work right (I'm pretty sure they will) or you decide to go back to the previous installed version, just delete them and it will be like they never existed. Obviously you'll want to delete them before you try to update to the next LTS.

Of course you should not normally just run Linux executables that someone posted on a forum, and if you don't feel comfortable doing that now I can also show you how to build these same files on your system, again without messing anything up.

Re: WavPack 5.2.0 Release

Reply #8
My usr / local / bin folder is empty but if I open it as an administrator it tells me that I don't have permission to insert files inside, I don't know why ...... I have to put the loose files or the whole wavpack-5.2 folder .0-bin?
Thank you

Re: WavPack 5.2.0 Release

Reply #9
You need to copy the 4 files individually, not the folder.

Check your PM...  :)

Re: WavPack 5.2.0 Release

Reply #10
Another singleuser way is to run them from the user profile dir - e.g . ~/Downloads/wavpack. You can even compile into the /home folder by ./configure --prefix ~

Anyway thats what I do when playing with linux.  In windows similarly , I run non-installer apps from my userprofile. this way you avoid permission issues / risks of messing system wide things.

Re: WavPack 5.2.0 Release

Reply #11
Yay for a new WavPack (maintenance) release!

Thanks David, and have a great 2020.
WavPack 5.6.0 -b384hx6cmv / qaac64 2.80 -V 100

Re: WavPack 5.2.0 Release

Reply #12
I managed to put the files in the usr / local / bin folder, I practically had the zipped file in the download folder, I extracted the wavpack-5.2.0-bin folder and then I opened it as an administrator, next to it I opened a new tab and I went to / usr / local / bin and I put the 4 files, everything went well, I also made a conversion from dsf to wv terminal and wrote me that I have version 5.2 and I noticed that now it imports tags that didn't matter before.
Thanks and Happy 2020 David

Re: WavPack 5.2.0 Release

Reply #13
Ubuntu will probably rather backport the security changes, instead of updating it. At least if you're on LTS.

Good luck with that.

GNOME Web (Epiphany) has had problems with Ubuntu, including leaving old versions in there when they have serious problems and  4-5 newer stable releases had been out for some time. Not building it with a library required to make it work right. Leaving a version of WebkitGTK (which is a browser engine where CVEs are very serious) that had almost 200 unfixed CVEs in it.

WebkitGTK is used all over GNOME and even in parts of Ubuntu that are there by default. If a user installs Geary, Evolution, Web/Epiphany.... It's there when GNOME Initial Setup runs and asks the user for her account passwords on various things like Google, Microsoft, and Facebook.

I don't know if their behavior has improved, but it shocked me that a distribution that claims to be suitable for enterprises and is "supported" professionally could possibly do things like that. The author even considered putting a time bomb in the web browser set to go off in case Ubuntu left the user marooned with an old unsafe browser again.

I know that the CVEs closed in this WavPack release are not nearly as bad, but I would not trust Canonical/Ubuntu with a spare computer that I just play around with, much less anything important.

Re: WavPack 5.2.0 Release

Reply #14
You need to copy the 4 files individually, not the folder.

Check your PM...  :)

In the case of foobar2000, simply squashing wavpack.exe in the Encoders folder with the 64-bit version for Windows will work. (I use foobar2000 in Wine as a transcoding tool sometimes).

Re: WavPack 5.2.0 Release

Reply #15
It often happens since I put the new version that importing the tags I find myself with strange characters like these
Examples 罻注! 堀ӟA 捹츍⊽放q

Re: WavPack 5.2.0 Release

Reply #16
It often happens since I put the new version that importing the tags I find myself with strange characters like these
Examples 罻注! 堀ӟA 捹츍⊽放q
That's not good. Can you please send me a file that shows this? I don't need the original .dsf file, the WavPack file will be fine. Thanks!


Re: WavPack 5.2.0 Release

Reply #18
Thanks for the sample!

Yes, this is a bug. Fortunately the only issue is a few garbage characters might be added to the tags, and they can be easily removed with the wvtag program by re-importing them (no need to convert again):

wvtag --import-id3 filename.wv

I have created a new set of binaries of version 5.2.1, but I will probably not do an official release. Please let me know if you have any more trouble, and thanks again for reporting this!

-David

Re: WavPack 5.2.0 Release

Reply #19
Since I changed PC shortly I will have to do a new installation of Ubuntu 18.04 lts, on the repositories it seems to me that there is still 5.1, how can I do to immediately put the new 5.2?
Thank you

Re: WavPack 5.2.0 Release

Reply #20
Well, you don't really want 5.2 anyway because it has the garbage character bug that affects you.

I would suggest accepting their 5.1 (which probably has the 5.2 fixes back-ported) and then use the same technique as before to install the fixed 5.2.1 I posted above.

Re: WavPack 5.2.0 Release

Reply #21
Thanks for the great work!
I have all my music (some dsd some hi-res(32bit/24bit 96khz) audio) in wavpack 5.1

Looks like there is not re-encode mode in WAVPACK.exe comman-line.
Any good idea for clean re-encoded ver5.3  wavpackfile  from a command line batch without losing metadata (or say import tags again?)
(clean means want to clear all the garbage characters  and somewhat that bug which is defined on the previous version)

Last last long long time I just decode(WVUNPACK) and then encode and manually copy the metadat from the old flac files by Copy paste on foobar2000. Don't want to do it again..


Re: WavPack 5.2.0 Release

Reply #22
Last last long long time I just decode(WVUNPACK) and then encode and manually copy the metadat from the old flac files by Copy paste on foobar2000. Don't want to do it again..
There's no reason to do that again. Assuming that you did not use -r during the original encode (which discards the original headers and trailers) then you can just do this:

Code: [Select]
wvtag --import-id3 *.wv

That should read the ID3 tags in their original form and reapply each one to the WavPack file. This will fix any case of the garbage characters caused by the previous bug. However, that bug was introduced in version 5.2 and only applies to TXXX tags; if you actually encoded with 5.1 then you won't have any of those cases because 5.1 ignored the TXXX tags, but you might want to do this to get any TXXX tags in the files.

Also, there is a way to re-encode with wavpack.exe and you could do that also, but it would just be a waste of time and CPU power (unless you wanted to encode with a different quality or mode):

Code: [Select]
wavpack -y --import-id3 *.wv

Good luck!

Re: WavPack 5.2.0 Release

Reply #23
There's no reason to do that again.
Thanks for the reply!
Oh! So these two version 5.2,5.3 does not affect the encode result.
Anyway, I would do a Small-scale testing to see the result is same one bit-to-bit or not.
Thanks Again!