Bug 907016 (CVE-2014-9028) - VUL-0: CVE-2014-9028: flac: Heap overflow via specially crafted .flac files
Summary: VUL-0: CVE-2014-9028: flac: Heap overflow via specially crafted .flac files
Status: RESOLVED FIXED
Alias: CVE-2014-9028
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-12-26
Assignee: Takashi Iwai
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle10-sp3:59826 maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-25 09:21 UTC by Johannes Segitz
Modified: 2015-02-19 02:34 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-11-25 09:21:19 UTC 
A heap overflow which may result in arbitrary code execution, can be triggered by passing a maliciously crafted .flac file to the libFLAC decoder.

Affected version: libFLAC <= 1.3.0

Fixed version: libFLAC >= 1.3.1

Credit: vulnerability report from Michele Spagnuolo of Google Security Team <mikispag AT google.com>

Fix is in https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85
Comment 1 Swamp Workflow Management 2014-11-25 23:00:45 UTC 
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2014-11-26 12:00:26 UTC 
This is an autogenerated message for OBS integration:
This bug (907016) was mentioned in
https://build.opensuse.org/request/show/263101 13.1 / flac
Comment 5 Bernhard Wiedemann 2014-11-26 14:00:25 UTC 
This is an autogenerated message for OBS integration:
This bug (907016) was mentioned in
https://build.opensuse.org/request/show/263124 13.2 / flac
Comment 6 Bernhard Wiedemann 2014-11-26 15:00:22 UTC 
This is an autogenerated message for OBS integration:
This bug (907016) was mentioned in
https://build.opensuse.org/request/show/263130 12.3 / flac
Comment 7 Takashi Iwai 2014-11-26 21:16:46 UTC 
The fixed packages are submitted to SLE10, SLE11, SLE12, openSUSE 12.3, 13.1 and 13.2.
Comment 9 Bernhard Wiedemann 2014-11-28 10:00:33 UTC 
This is an autogenerated message for OBS integration:
This bug (907016) was mentioned in
https://build.opensuse.org/request/show/263297 13.2 / flac
https://build.opensuse.org/request/show/263298 12.3 / flac
https://build.opensuse.org/request/show/263299 13.1 / flac
Comment 10 Swamp Workflow Management 2014-11-28 12:03:59 UTC 
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2014-12-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59824
Comment 12 Swamp Workflow Management 2014-12-06 06:05:00 UTC 
SUSE-SU-2014:1577-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 906831,907016
CVE References: CVE-2014-8962,CVE-2014-9028
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    flac-1.2.1-68.17.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    flac-1.2.1-68.17.1
SUSE Linux Enterprise Server 11 SP3 (src):    flac-1.2.1-68.17.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    flac-1.2.1-68.17.1
Comment 13 Swamp Workflow Management 2014-12-08 16:05:12 UTC 
openSUSE-SU-2014:1588-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 906831,907016
CVE References: CVE-2014-8962,CVE-2014-9028
Sources used:
openSUSE 13.2 (src):    flac-1.3.0-4.4.1
openSUSE 13.1 (src):    flac-1.3.0-2.4.1
openSUSE 12.3 (src):    flac-1.2.1_git201212051942-3.4.1
Comment 14 Swamp Workflow Management 2014-12-18 14:05:06 UTC 
SUSE-SU-2014:1663-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 906831,907016
CVE References: CVE-2014-8962,CVE-2014-9028
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    flac-1.3.0-6.1
SUSE Linux Enterprise Server 12 (src):    flac-1.3.0-6.1
SUSE Linux Enterprise Desktop 12 (src):    flac-1.3.0-6.1