CVE-2014-8962
published 2014-11-26CVE-2014-8962: Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.
PriorityP344high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
9.86%
95.0th percentile
Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | flac | < flac 1.3.0-3 (bookworm) | flac 1.3.0-3 (bookworm) |
| flac | libflac | <= 1.3.0 | — |
| flac_project | flac | >= 0 < 1.3.0-3 | 1.3.0-3 |
| flac_project | flac | >= 0 < 1.3.0-3 | 1.3.0-3 |
| flac_project | flac | >= 0 < 1.3.0-3 | 1.3.0-3 |
| flac_project | flac | >= 0 < 1.3.0-3 | 1.3.0-3 |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
FLAC vulnerabilities
vendor_ubuntu·2014-11-27
CVE-2014-8962 FLAC vulnerabilities
Title: FLAC vulnerabilities
Summary: FLAC could be made to crash or run programs as your login if it opened a
specially crafted file.
Michele Spagnuolo discovered that FLAC incorrectly handled certain
malformed audio files. An attacker could use this issue to cause FLAC to
crash, resulting in a denial of service, or possibly execute arbitrary
code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
flac: Buffer read overflow when processing ID3V2 metadata
vendor_redhat·2014-11-18·CVSS 7.5
CVE-2014-8962 [HIGH] CWE-122 flac: Buffer read overflow when processing ID3V2 metadata
flac: Buffer read overflow when processing ID3V2 metadata
Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.
A buffer over-read flaw was found in the way flac processed certain ID3v2 metadata. An attacker could create a specially crafted FLAC audio file that could cause an application using the flac library to crash when the file was read.
Package: flac (Red Hat Enterprise Linux 5) - Will not fix
Debian
CVE-2014-8962: flac - Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows r...
vendor_debian·2014·CVSS 7.5
CVE-2014-8962 [HIGH] CVE-2014-8962: flac - Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows r...
Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.
Scope: local
bookworm: resolved (fixed in 1.3.0-3)
bullseye: resolved (fixed in 1.3.0-3)
forky: resolved (fixed in 1.3.0-3)
sid: resolved (fixed in 1.3.0-3)
trixie: resolved (fixed in 1.3.0-3)
GHSA
GHSA-5gr4-m4m2-fjjf: Stack-based buffer overflow in stream_decoder
ghsa_unreviewed·2022-05-14
CVE-2014-8962 [HIGH] CWE-119 GHSA-5gr4-m4m2-fjjf: Stack-based buffer overflow in stream_decoder
Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.
OSV
CVE-2014-8962: Stack-based buffer overflow in stream_decoder
osv·2014-11-26·CVSS 7.5
CVE-2014-8962 [HIGH] CVE-2014-8962: Stack-based buffer overflow in stream_decoder
Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-9028 CVE-2014-8962 mingw-flac: various flaws [fedora-all]
bugzilla·2014-12-02·CVSS 7.5
CVE-2014-9028 [HIGH] CVE-2014-9028 CVE-2014-8962 mingw-flac: various flaws [fedora-all]
CVE-2014-9028 CVE-2014-8962 mingw-flac: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. Whi
Bugzilla
CVE-2014-9028 CVE-2014-8962 xmms-flac: various flaws [fedora-all]
bugzilla·2014-12-02·CVSS 7.5
CVE-2014-9028 [HIGH] CVE-2014-9028 CVE-2014-8962 xmms-flac: various flaws [fedora-all]
CVE-2014-9028 CVE-2014-8962 xmms-flac: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. Whil
Bugzilla
CVE-2014-9028 CVE-2014-8962 flac: various flaws [fedora-all]
bugzilla·2014-12-02·CVSS 7.5
CVE-2014-9028 [HIGH] CVE-2014-9028 CVE-2014-8962 flac: various flaws [fedora-all]
CVE-2014-9028 CVE-2014-8962 flac: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While onl
Bugzilla
CVE-2014-8962 flac: Buffer read overflow when processing ID3V2 metadata
bugzilla·2014-11-24·CVSS 7.5
CVE-2014-8962 [HIGH] CVE-2014-8962 flac: Buffer read overflow when processing ID3V2 metadata
CVE-2014-8962 flac: Buffer read overflow when processing ID3V2 metadata
Unspecified vulnerability was fixed in flac upstream repository [1]
There're currently no publicly availble details about this issue:
The commit above will be included in flac 1.3.1, which will be out early next week [2].
[1]: https://git.xiph.org/?p=flac.git;a=commitdiff;h=5b3033a2b355068c11fe637e14ac742d273f076e
[2]: http://lists.xiph.org/pipermail/flac-dev/2014-November/005185.html
Discussion:
Created mingw-flac tracking bugs for this issue:
Affects: fedora-all [bug 1169699]
---
Created xmms-flac tracking bugs for this issue:
Affects: fedora-all [bug 1169700]
---
Created flac tracking bugs for this issue:
Affects: fedora-all [bug 1169698]
---
flac-1.3.1-1.fc20 has been pushed to the Fedora 20 stable re
Checkpoint
Long-known Vulnerabilities in High-Profile Android Applications
blogs_checkpoint·2019-11-21
CVE-2014-8962 Long-known Vulnerabilities in High-Profile Android Applications
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Long-known Vulnerabilities in High-Profile Android Applications
Research by: Slava Makkaveev
## Introduction
Most mobile users understandably worry about known vulnerabilities in the c
http://advisories.mageia.org/MGASA-2014-0499.htmlhttp://lists.opensuse.org/opensuse-updates/2014-12/msg00034.htmlhttp://packetstormsecurity.com/files/129261/libFLAC-1.3.0-Stack-Overflow-Heap-Overflow-Code-Execution.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0767.htmlhttp://www.debian.org/security/2014/dsa-3082http://www.mandriva.com/security/advisories?name=MDVSA-2014:239http://www.mandriva.com/security/advisories?name=MDVSA-2015:188http://www.ocert.org/advisories/ocert-2014-008.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlhttp://www.securityfocus.com/archive/1/534083/100/0/threadedhttp://www.securityfocus.com/bid/71280http://www.ubuntu.com/usn/USN-2426-1https://git.xiph.org/?p=flac.git%3Ba=commit%3Bh=5b3033a2b355068c11fe637e14ac742d273f076ehttp://advisories.mageia.org/MGASA-2014-0499.htmlhttp://lists.opensuse.org/opensuse-updates/2014-12/msg00034.htmlhttp://packetstormsecurity.com/files/129261/libFLAC-1.3.0-Stack-Overflow-Heap-Overflow-Code-Execution.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0767.htmlhttp://www.debian.org/security/2014/dsa-3082http://www.mandriva.com/security/advisories?name=MDVSA-2014:239http://www.mandriva.com/security/advisories?name=MDVSA-2015:188http://www.ocert.org/advisories/ocert-2014-008.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlhttp://www.securityfocus.com/archive/1/534083/100/0/threadedhttp://www.securityfocus.com/bid/71280http://www.ubuntu.com/usn/USN-2426-1https://git.xiph.org/?p=flac.git%3Ba=commit%3Bh=5b3033a2b355068c11fe637e14ac742d273f076e
2014-11-26
Published