Multiple buffer overflows in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allow user-assisted remote attackers to execute arbitrary code via large (1) Metadata Block Size, (2) VORBIS Comment String Size, (3) Picture Metadata MIME-TYPE Size, (4) Picture Description Size, (5) Picture Data Length, (6) Padding Length, and (7) PICTURE Metadata width and height values in a .FLAC file, which result in a heap-based overflow; and large (8) VORBIS Comment String Size Length, (9) Picture MIME-Type, (10) Picture MIME-Type URL, and (11) Picture Description Length values in a .FLAC file, which result in a stack-based overflow. NOTE: some of these issues may overlap CVE-2007-4619.
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| http://www.debian.org/security/2008/dsa-1469 | vendor advisory |
| http://research.eeye.com/html/advisories/published/AD20071115.html | third party advisory |
| http://www.securitytracker.com/id?1018974 | patch vdb entry |
| http://securityreason.com/securityalert/3423 | third party advisory |
| http://secunia.com/advisories/28548 | third party advisory |
| http://www.kb.cert.org/vuls/id/544656 | patch third party advisory us government resource |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10435 | signature vdb entry |
| http://www.securityfocus.com/archive/1/483765/100/200/threaded | mailing list |