GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Fri Dec 26, 2014 3:26 am Post subject: [ GLSA 201412-40 ] FLAC: User-assisted execution of arbitrar |
|
|
Gentoo Linux Security Advisory
Title: FLAC: User-assisted execution of arbitrary code (GLSA 201412-40)
Severity: normal
Exploitable: remote
Date: December 26, 2014
Bug(s): #530288
ID: 201412-40
Synopsis
A buffer overflow vulnerability in FLAC could lead to execution of
arbitrary code or Denial of Service.
Background
The Free Lossless Audio Codec (FLAC) library is the reference
implementation of the FLAC audio file format.
Affected Packages
Package: media-libs/flac
Vulnerable: < 1.3.1-r1
Unaffected: >= 1.3.1-r1
Architectures: All supported architectures
Description
A stack-based buffer overflow flaw has been discovered in FLAC.
Impact
A remote attacker could entice a user to open a specially crafted .flac
file using an application linked against FLAC, possibly resulting in
execution of arbitrary code with the privileges of the process or a
Denial of Service condition.
Workaround
There is no known workaround at this time.
Resolution
All FLAC users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/flac-1.3.1-r1"
| Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying these packages.
References
CVE-2014-8962
Last edited by GLSA on Thu Mar 12, 2015 4:34 am; edited 2 times in total |
|