Bug#770918: Two CVEs against FLAC
Erik de Castro Lopo
erikd at mega-nerd.com
Tue Nov 25 08:36:18 UTC 2014
Package: flac
Version: 1.3.0-2+b1
Severity: serious
Tags: security
From: http://lists.xiph.org/pipermail/flac-dev/2014-November/005226.html
> Google Security Team member, Michele Spagnuolo, recently found two potential
> problems in the FLAC code base. They are :
>
>
> CVE-2014-9028 : Heap buffer write overflow
> CVE-2014-8962 : Heap buffer read overflow
>
> For Linux distributions, the specific fixes for these two CVEs are available
> from Git here:
>
> https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85
> https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e
>
> and are simple enough that they should apply cleanly to the last official
> release 1.3.0 and possibly even the previous one, 1.2.1.
>
> A pre-release (version 1.3.1pre1) for the next version which includes these
> fixes and more is available here:
>
> http://downloads.xiph.org/releases/flac/beta/
>
> A full release (version 1.3.1) will be available in the next couple of days.
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (900, 'testing'), (800, 'unstable'), (500, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.17-rc5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_AU.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages flac depends on:
ii libc6 2.19-13
ii libflac8 1.3.0-2+b1
flac recommends no packages.
flac suggests no packages.
-- no debconf information
More information about the pkg-multimedia-maintainers
mailing list