blob: 493bdcf19a0e115deb18aeeacca01cf9bd6b647f [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200711-15">
<title>FLAC: Buffer overflow</title>
Multiple integer overflow vulnerabilities were found in FLAC possibly
allowing for the execution of arbitrary code.
<product type="ebuild">flac</product>
<announced>November 12, 2007</announced>
<revised>November 12, 2007: 01</revised>
<package name="media-libs/flac" auto="yes" arch="*">
<unaffected range="ge">1.2.1-r1</unaffected>
<vulnerable range="lt">1.2.1-r1</vulnerable>
The Free Lossless Audio Codec (FLAC) library is the reference
implementation of the FLAC audio file format. It contains encoders and
decoders in library and executable form.
Sean de Regge reported multiple integer overflows when processing FLAC
media files that could lead to improper memory allocations resulting in
heap-based buffer overflows.
<impact type="normal">
A remote attacker could entice a user to open a specially crafted FLAC
file or network stream with an application using FLAC. This might lead
to the execution of arbitrary code with privileges of the user playing
the file.
There is no known workaround at this time.
All FLAC users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=media-libs/flac-1.2.1-r1&quot;</code>
You should also run revdep-rebuild to rebuild any packages that depend
on older versions of FLAC:
# revdep-rebuild --library=libFLAC.*</code>
<uri link="">CVE-2007-4619</uri>
<metadata tag="requester" timestamp="Thu, 01 Nov 2007 19:12:08 +0000">
<metadata tag="submitter" timestamp="Fri, 02 Nov 2007 03:25:37 +0000">
<metadata tag="bugReady" timestamp="Sat, 03 Nov 2007 23:19:45 +0000">