CVE-2017-6888
published 2018-04-25CVE-2017-6888: An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a…
PriorityP417medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
1.37%
68.5th percentile
An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | flac | < flac 1.3.2-2 (bookworm) | flac 1.3.2-2 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| flac | flac | — | — |
| flac_project | flac | <= 1.3.2 | — |
| flac_project | flac | >= 0 < 1.3.2-2 | 1.3.2-2 |
| flac_project | flac | >= 0 < 1.3.2-2 | 1.3.2-2 |
| flac_project | flac | >= 0 < 1.3.2-2 | 1.3.2-2 |
| flac_project | flac | >= 0 < 1.3.2-2 | 1.3.2-2 |
| flac_project | flac | >= 0 < 1.3.2-1ubuntu0.1 | 1.3.2-1ubuntu0.1 |
| flac_project | flac | >= 0 < 1.3.3-1ubuntu0.1 | 1.3.3-1ubuntu0.1 |
| flac_project | flac | >= 0 < 1.3.3-2ubuntu0.1 | 1.3.3-2ubuntu0.1 |
| flac_project | flac | >= 0 < 1.3.0-2ubuntu0.14.04.1+esm1 | 1.3.0-2ubuntu0.14.04.1+esm1 |
| flac_project | flac | >= 0 < 1.3.1-4ubuntu0.1~esm1 | 1.3.1-4ubuntu0.1~esm1 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv5.5MEDIUM
vendor_debian5.5LOW
vendor_redhat5.5MEDIUM
vendor_ubuntu5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
FLAC vulnerabilities
vendor_ubuntu·2022-11-21·CVSS 5.5
CVE-2017-6888 [MEDIUM] FLAC vulnerabilities
Title: FLAC vulnerabilities
Summary: Several security issues were fixed in FLAC.
It was discovered that FLAC was not properly performing memory management
operations, which could result in a memory leak. An attacker could possibly
use this issue to cause FLAC to consume resources, leading to a denial of
service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and
Ubuntu 18.04 LTS. (CVE-2017-6888)
It was discovered that FLAC was not properly performing bounds checking
operations when decoding data. If a user or automated system were tricked
into processing a specially crafted file, an attacker could possibly use
this issue to expose sensitive information or to cause FLAC to crash,
leading to a denial of service. This issue only affected Ubuntu 14.04 ESM,
Ubuntu 16.04 ESM, Ubu
Red Hat
flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_()
vendor_redhat·2017-05-11·CVSS 5.5
CVE-2017-6888 [MEDIUM] CWE-401 flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_()
flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_()
An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file.
Package: flac (Red Hat Enterprise Linux 5) - Not affected
Package: flac (Red Hat Enterprise Linux 6) - Not affected
Package: flac (Red Hat Enterprise Linux 7) - Not affected
Package: flac (Red Hat Enterprise Linux 8) - Not affected
Debian
CVE-2017-6888: flac - An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_de...
vendor_debian·2017·CVSS 5.5
CVE-2017-6888 [MEDIUM] CVE-2017-6888: flac - An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_de...
An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file.
Scope: local
bookworm: resolved (fixed in 1.3.2-2)
bullseye: resolved (fixed in 1.3.2-2)
forky: resolved (fixed in 1.3.2-2)
sid: resolved (fixed in 1.3.2-2)
trixie: resolved (fixed in 1.3.2-2)
OSV
flac vulnerabilities
osv·2022-11-21·CVSS 5.5
CVE-2017-6888 [MEDIUM] flac vulnerabilities
flac vulnerabilities
It was discovered that FLAC was not properly performing memory management
operations, which could result in a memory leak. An attacker could possibly
use this issue to cause FLAC to consume resources, leading to a denial of
service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and
Ubuntu 18.04 LTS. (CVE-2017-6888)
It was discovered that FLAC was not properly performing bounds checking
operations when decoding data. If a user or automated system were tricked
into processing a specially crafted file, an attacker could possibly use
this issue to expose sensitive information or to cause FLAC to crash,
leading to a denial of service. This issue only affected Ubuntu 14.04 ESM,
Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-0499)
It was d
GHSA
GHSA-fmrx-65vg-qvjw: An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder
ghsa_unreviewed·2022-05-13
CVE-2017-6888 [MEDIUM] CWE-772 GHSA-fmrx-65vg-qvjw: An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder
An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file.
OSV
CVE-2017-6888: An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder
osv·2018-04-25·CVSS 5.5
CVE-2017-6888 [MEDIUM] CVE-2017-6888: An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder
An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-6888 flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_()
bugzilla·2018-04-30·CVSS 5.5
CVE-2017-6888 [MEDIUM] CVE-2017-6888 flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_()
CVE-2017-6888 flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_()
FLAC version 1.3.2 has a memory leak vulnerability in the src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_() function. An attacker could exploit this via crafted FLAC file to cause a denial of service.
External Reference:
https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/
Upstream Patch:
https://git.xiph.org/?p=flac.git;a=blobdiff;f=src/libFLAC/stream_decoder.c;h=a5527511d195f9428c817ad6dbe57e8af03a2f1b;hp=14d5fe7ff3e81f38554c057fcd7d86830a582257;hb=4f47b63e9c971e6391590caf00a0f2a5ed612e67;hpb=25b2d82fe4982edbcb54913f4f5db0a1ae9c726d
Discussion:
Created flac tracking bugs for this issue:
Affects: fedora-all [bug 1573062]
Created mingw-flac tracking bugs for
Bugzilla
CVE-2017-6888 flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_() [fedora-all]
bugzilla·2018-04-30·CVSS 5.5
CVE-2017-6888 [MEDIUM] CVE-2017-6888 flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_() [fedora-all]
CVE-2017-6888 flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affec
Bugzilla
CVE-2017-6888 mingw-flac: flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_() [fedora-all]
bugzilla·2018-04-30·CVSS 5.5
CVE-2017-6888 [MEDIUM] CVE-2017-6888 mingw-flac: flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_() [fedora-all]
CVE-2017-6888 mingw-flac: flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this
https://git.xiph.org/?p=flac.git%3Ba=commit%3Bh=4f47b63e9c971e6391590caf00a0f2a5ed612e67https://lists.debian.org/debian-lts-announce/2021/01/msg00001.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33W6XZAAEJYRGU3XYHRO7XSYEA7YACUB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNZYTAU5UWBVXVJ4VHDWPR66ZVDLQZRE/https://secuniaresearch.flexerasoftware.com/advisories/82639/https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/https://git.xiph.org/?p=flac.git%3Ba=commit%3Bh=4f47b63e9c971e6391590caf00a0f2a5ed612e67https://lists.debian.org/debian-lts-announce/2021/01/msg00001.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33W6XZAAEJYRGU3XYHRO7XSYEA7YACUB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNZYTAU5UWBVXVJ4VHDWPR66ZVDLQZRE/https://secuniaresearch.flexerasoftware.com/advisories/82639/https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/
2018-04-25
Published