Hi all,
Google Security Team member, Michele Spagnuolo, recently found two potential
problems in the FLAC code base. They are :
CVE-2014-9028 : Heap buffer write overflow
CVE-2014-8962 : Heap buffer read overflow
For Linux distributions, the specific fixes for these two CVEs are available
from Git here:
https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85
https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e
and are simple enough that they should apply cleanly to the last official
release 1.3.0 and possibly even the previous one, 1.2.1.
A pre-release (version 1.3.1pre1) for the next version which includes these
fixes and more is available here:
http://downloads.xiph.org/releases/flac/beta/
A full release (version 1.3.1) will be available in the next couple of days.
Cheers,
Erik
--
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
_______________________________________________
flac-dev mailing list
[email protected]
http://lists.xiph.org/mailman/listinfo/flac-dev
