lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20141125091218.GF5485@core.inversepath.com>
Date: Tue, 25 Nov 2014 10:12:18 +0100
From: Daniele Bianco <danbia@...rt.org>
To: oss-security@...ts.openwall.com, ocert-announce@...ts.ocert.org,
  bugtraq@...urityfocus.com
Subject: [oCERT 2014-008] libFLAC multiple issues


Description:

FLAC is an open source lossless audio codec supported by several software
and music players.

The libFLAC project, an open source library implementing reference
encoders and decoders for native FLAC and Ogg FLAC audio content,
suffers from multiple implementation issues.

In particular, a stack overflow and a heap overflow condition, which may
result in arbitrary code execution, can be triggered by passing a maliciously
crafted .flac file to the libFLAC decoder.

Affected version:

libFLAC <= 1.3.0

The following packages were identified as affected as they statically
include libFLAC in their own packages.

Max <= 0.9.1
Cog <= 0.07
cinelerra <= 4.6
JUCE <= 3.1.0 (juce_audio_formats module)

Fixed version:

libFLAC >= 1.3.1

Max N/A
Cog N/A
cinelerra N/A
JUCE N/A

Credit: vulnerability report from Michele Spagnuolo of Google Security Team <mikispag AT google.com>

CVE:

CVE-2014-8962 (stack overflow)
CVE-2014-9028 (heap overflow)

Timeline:

2014-11-12: heap overflow report received
2014-11-12: contacted maintainer
2014-11-14: patch provided by maintainer
2014-11-17: reporter confirms patch
2014-11-20: stack overflow vulnerability reported
2014-11-21: assigned CVE (heap overflow)
2014-11-22: contacted affected vendors
2014-11-23: contacted additional affected vendors
2014-11-25: advisory release

References:

https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e
https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85

Permalink:

http://www.ocert.org/advisories/ocert-2014-008.html

--
  Daniele Bianco      Open Source Computer Security Incident Response Team
  <danbia@...rt.org>                                  http://www.ocert.org

  GPG Key 0x9544A497
  GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D  4AC5 AE75 822E 9544 A497

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ