blob: 10eae87723cada53848d1d83c441323fe74ae0ea [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8"?>
<glsa id="201412-40">
<title>FLAC: User-assisted execution of arbitrary code</title>
<synopsis>A buffer overflow vulnerability in FLAC could lead to execution of
arbitrary code or Denial of Service.
<product type="ebuild">flac</product>
<announced>December 26, 2014</announced>
<revised>December 26, 2014: 1</revised>
<package name="media-libs/flac" auto="yes" arch="*">
<unaffected range="ge">1.3.1-r1</unaffected>
<vulnerable range="lt">1.3.1-r1</vulnerable>
<p>The Free Lossless Audio Codec (FLAC) library is the reference
implementation of the FLAC audio file format.
<p>A stack-based buffer overflow flaw has been discovered in FLAC.</p>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted .flac
file using an application linked against FLAC, possibly resulting in
execution of arbitrary code with the privileges of the process or a
Denial of Service condition.
<p>There is no known workaround at this time.</p>
<p>All FLAC users should upgrade to the latest version:</p>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/flac-1.3.1-r1"
<p>Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying these packages.
<uri link="">CVE-2014-8962</uri>
<metadata tag="requester" timestamp="Wed, 03 Dec 2014 00:54:43 +0000">ackle</metadata>
<metadata tag="submitter" timestamp="Fri, 26 Dec 2014 00:40:42 +0000">ackle</metadata>