Vulnerability Details : CVE-2014-9028
Heap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.
Vulnerability category: OverflowExecute code
Products affected by CVE-2014-9028
- cpe:2.3:a:flac:libflac:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-9028
61.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-9028
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-9028
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-9028
-
http://advisories.mageia.org/MGASA-2014-0499.html
Mageia Advisory: MGASA-2014-0499 - Updated flac packages fix security vulnerabilities
-
http://www.ubuntu.com/usn/USN-2426-1
USN-2426-1: FLAC vulnerabilities | Ubuntu security notices
-
http://rhn.redhat.com/errata/RHSA-2015-0767.html
RHSA-2015:0767 - Security Advisory - Red Hat Customer Portal
-
http://www.mandriva.com/security/advisories?name=MDVSA-2014:239
mandriva.com
-
http://www.mandriva.com/security/advisories?name=MDVSA-2015:188
mandriva.com
-
http://www.securityfocus.com/bid/71282
libFLAC 'src/libFLAC/stream_decoder.c' Heap Buffer Overflow Vulnerability
-
http://www.ocert.org/advisories/ocert-2014-008.html
oCERT archiveUS Government Resource
-
http://lists.opensuse.org/opensuse-updates/2014-12/msg00034.html
openSUSE-SU-2014:1588-1: moderate: Security update for flac
-
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
Oracle Bulletin Board Update - January 2015
-
http://packetstormsecurity.com/files/129261/libFLAC-1.3.0-Stack-Overflow-Heap-Overflow-Code-Execution.html
libFLAC 1.3.0 Stack Overflow / Heap Overflow / Code Execution ≈ Packet Storm
-
http://www.debian.org/security/2014/dsa-3082
Debian -- Security Information -- DSA-3082-1 flac
-
https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85
Xiph.org - flac.git/commit
-
http://www.securityfocus.com/archive/1/534083/100/0/threaded
SecurityFocus
Jump to