Bugzilla – Bug 906831
VUL-0: CVE-2014-8962 flac: stack overflow may result in arbitrary code execution
Last modified: 2015-02-19 02:33:59 UTC
rh#1167236 There're currently no publicly availble details about this issue: The commit will be included in flac 1.3.1. https://git.xiph.org/?p=flac.git;a=patch;h=5b3033a2b355068c11fe637e14ac742d273f076e I will add more details once we have them. Maintained for SLE 10 SP3 (Terradata), otherwise only openSUSE. Maybe we will switch this to VUL-1. References: https://bugzilla.redhat.com/show_bug.cgi?id=1167236 http://lists.xiph.org/pipermail/flac-dev/2014-November/005185.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8962 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8962
bugbot adjusting priority
A stack overflow which may result in arbitrary code execution, can be triggered by passing a maliciously crafted .flac file to the libFLAC decoder. Affected version: libFLAC <= 1.3.0 Fixed version: libFLAC >= 1.3.1 Credit: vulnerability report from Michele Spagnuolo of Google Security Team <mikispag AT google.com> Fix is in https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e
This is an autogenerated message for OBS integration: This bug (906831) was mentioned in https://build.opensuse.org/request/show/263101 13.1 / flac
This is an autogenerated message for OBS integration: This bug (906831) was mentioned in https://build.opensuse.org/request/show/263124 13.2 / flac
This is an autogenerated message for OBS integration: This bug (906831) was mentioned in https://build.opensuse.org/request/show/263130 12.3 / flac
The fixed package are submitted to SLE10, SLE11, SLE12, openSUSE 12.3, 13.1 and 13.2.
Done.
This is an autogenerated message for OBS integration: This bug (906831) was mentioned in https://build.opensuse.org/request/show/263297 13.2 / flac https://build.opensuse.org/request/show/263298 12.3 / flac https://build.opensuse.org/request/show/263299 13.1 / flac
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2014-12-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59824
SUSE-SU-2014:1577-1: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 906831,907016 CVE References: CVE-2014-8962,CVE-2014-9028 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): flac-1.2.1-68.17.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): flac-1.2.1-68.17.1 SUSE Linux Enterprise Server 11 SP3 (src): flac-1.2.1-68.17.1 SUSE Linux Enterprise Desktop 11 SP3 (src): flac-1.2.1-68.17.1
openSUSE-SU-2014:1588-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 906831,907016 CVE References: CVE-2014-8962,CVE-2014-9028 Sources used: openSUSE 13.2 (src): flac-1.3.0-4.4.1 openSUSE 13.1 (src): flac-1.3.0-2.4.1 openSUSE 12.3 (src): flac-1.2.1_git201212051942-3.4.1
SUSE-SU-2014:1663-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 906831,907016 CVE References: CVE-2014-8962,CVE-2014-9028 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): flac-1.3.0-6.1 SUSE Linux Enterprise Server 12 (src): flac-1.3.0-6.1 SUSE Linux Enterprise Desktop 12 (src): flac-1.3.0-6.1