[SECURITY] [DLA 99-1] flac security update

2014-12-0519:00:39

lists.debian.org

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.652 Medium

EPSS

Percentile

97.9%

JSON

Package : flac
Version : 1.2.1-2+deb6u1
CVE ID : CVE-2014-8962 CVE-2014-9028

Michele Spagnuolo, of Google Security Team, and Miroslav Lichvar, of
Red Hat, discovered two issues in flac, a library handling Free
Lossless Audio Codec media: by providing a specially crafted FLAC
file, an attacker could execute arbitrary code.

CVE-2014-8962

 heap-based buffer overflow in stream_decoder.c, allowing
 remote attackers to execute arbitrary code via a specially
 crafted .flac file.

CVE-2014-9028

 stack-based buffer overflow in stream_decoder.c, allowing
 remote attackers to execute arbitrary code via a specially
 crafted .flac file.

OSVersionArchitecturePackageVersionFilename
Debian6alllibflac++6< 1.2.1-2+deb6u1libflac++6_1.2.1-2+deb6u1_all.deb
Debian6alllibflac-dev< 1.2.1-2+deb6u1libflac-dev_1.2.1-2+deb6u1_all.deb
Debian6allflac< 1.2.1-2+deb6u1flac_1.2.1-2+deb6u1_all.deb
Debian6alllibflac8< 1.2.1-2+deb6u1libflac8_1.2.1-2+deb6u1_all.deb
Debian6alllibflac++-dev< 1.2.1-2+deb6u1libflac++-dev_1.2.1-2+deb6u1_all.deb
Debian6alllibflac-doc< 1.2.1-2+deb6u1libflac-doc_1.2.1-2+deb6u1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	all	libflac++6	< 1.2.1-2+deb6u1	libflac++6_1.2.1-2+deb6u1_all.deb
Debian	6	all	libflac-dev	< 1.2.1-2+deb6u1	libflac-dev_1.2.1-2+deb6u1_all.deb
Debian	6	all	flac	< 1.2.1-2+deb6u1	flac_1.2.1-2+deb6u1_all.deb
Debian	6	all	libflac8	< 1.2.1-2+deb6u1	libflac8_1.2.1-2+deb6u1_all.deb
Debian	6	all	libflac++-dev	< 1.2.1-2+deb6u1	libflac++-dev_1.2.1-2+deb6u1_all.deb
Debian	6	all	libflac-doc	< 1.2.1-2+deb6u1	libflac-doc_1.2.1-2+deb6u1_all.deb