Bug#770918: Two CVEs against FLAC
Erik de Castro Lopo
erikd at mega-nerd.com
Thu Nov 27 03:58:05 UTC 2014
Erik de Castro Lopo wrote:
> Package: flac
> Version: 1.3.0-2+b1
> Severity: serious
> Tags: security
>
> From: http://lists.xiph.org/pipermail/flac-dev/2014-November/005226.html
>
> > Google Security Team member, Michele Spagnuolo, recently found two potential
> > problems in the FLAC code base. They are :
> >
> > CVE-2014-9028 : Heap buffer write overflow
> > CVE-2014-8962 : Heap buffer read overflow
> >
> > For Linux distributions, the specific fixes for these two CVEs are available
> > from Git here:
> >
> > https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85
> > https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e
> >
> > and are simple enough that they should apply cleanly to the last official
> > release 1.3.0 and possibly even the previous one, 1.2.1.
One more patch to cherry pick:
https://git.xiph.org/?p=flac.git;a=commit;h=5a365996d739bdf4711af51d9c2c71c8a5e14660
> > A pre-release (version 1.3.1pre1) for the next version which includes these
> > fixes and more is available here:
> >
> > http://downloads.xiph.org/releases/flac/beta/
> >
> > A full release (version 1.3.1) will be available in the next couple of days.
The 1.3.1 release is available here:
http://downloads.xiph.org/releases/flac/
Cheers,
Erik
--
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
More information about the pkg-multimedia-maintainers
mailing list