CVE-2017-6888 — Missing Release of Resource after Effective Lifetime in Flac

CWE-772 — Missing Release of Resource after Effective Lifetime CWE-401 — Missing Release of Memory after Effective Lifetime10 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.4%

top 36.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Flac Project Flac Debian Flac Flac +2 more

Timeline

PublishedApr 25

Latest updateNov 21

Description

An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/flac< flac 1.3.2-2 (bookworm)

▶Debianflac_project/flac< 1.3.2-2+3

▶Ubuntuflac_project/flac< 1.3.2-1ubuntu0.1+4

▶NVDflac_project/flac1.3.2

▶CVEListV5flac/flac1.3.2

Also affects: Debian Linux 9.0, Fedora 32, 33

🔴Vulnerability Details

OSV

flac vulnerabilities↗2022-11-21

▶

GHSA

GHSA-fmrx-65vg-qvjw: An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder↗2022-05-13

▶

OSV

CVE-2017-6888: An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder↗2018-04-25

▶

📋Vendor Advisories

Ubuntu

FLAC vulnerabilities↗2022-11-21

▶

Red Hat

flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_()↗2017-05-11

▶

Debian

CVE-2017-6888: flac - An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_de...↗2017

▶

💬Community

Bugzilla

CVE-2017-6888 flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_()↗2018-04-30

▶

Bugzilla

CVE-2017-6888 flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_() [fedora-all]↗2018-04-30

▶

Bugzilla

CVE-2017-6888 mingw-flac: flac: Memory leak in src/libFLAC/stream_decoder.c:read_metadata_vorbiscomment_() [fedora-all]↗2018-04-30

▶