[v2.6] flac: multiple issues (CVE-2014-8962, CVE-2014-9028)
The libFLAC project, an open source library implementing reference encoders and decoders for native FLAC and Ogg FLAC audio content, suffers from multiple implementation issues.
In particular, a stack overflow and a heap overflow condition, which may result in arbitrary code execution, can be triggered by passing a maliciously crafted .flac file to the libFLAC decoder.
Affected version:
libFLAC <= 1.3.0
Fixed version:
libFLAC >= 1.3.1
Credit: vulnerability report from Michele Spagnuolo of Google Security Team <mikispag AT google.com>
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8962 (stack
overflow)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9028 (heap
overflow)
Timeline:
2014-11-12: heap overflow report received
2014-11-12: contacted maintainer
2014-11-14: patch provided by maintainer
2014-11-17: reporter confirms patch
2014-11-20: stack overflow vulnerability reported
2014-11-21: assigned CVE (heap overflow)
2014-11-22: contacted affected vendors
2014-11-23: contacted additional affected vendors
2014-11-25: advisory release
References:
http://seclists.org/oss-sec/2014/q4/786
https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e
https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85
Permalink:
http://www.ocert.org/advisories/ocert-2014-008.html
(from redmine: issue id 3758, created on 2015-01-27, closed on 2017-09-05)
- Relations:
- parent #3757