CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-22219 – flac: Remote Code Execution (RCE) via the bitwriter_grow_ function, by supplying crafted input to the encoder
https://notcve.org/view.php?id=CVE-2020-22219
Buffer Overflow vulnerability in function bitwriter_grow_ in flac before 1.4.0 allows remote attackers to run arbitrary code via crafted input to the encoder. Vulnerabilidad de Desbordamiento de Búfer en la función bitwriter_grow_ en flac anterior a 1.4.0 permite a atacantes remotos ejecutar código arbitrario a través de una entrada manipulada al codificador. A flaw was found in the libeconf library. This issue occurs due to a buffer overflow vulnerability in the bitwriter_grow_ function in FLAC that allows remote attackers to run arbitrary code via crafted input to the encoder. • https://github.com/xiph/flac/issues/215 https://lists.debian.org/debian-lts-announce/2023/09/msg00028.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZD2AJTU4PCJQP7HPTS2L2ELJWBASCRGD https://www.debian.org/security/2023/dsa-5500 https://access.redhat.com/security/cve/CVE-2020-22219 https://bugzilla.redhat.com/show_bug.cgi?id=2235489 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-6888
https://notcve.org/view.php?id=CVE-2017-6888
An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file. Un error en la función read_metadata_vorbiscomment_() en src/libFLAC/stream_decoder.c en la versión 1.3.2 de FLAC puede explotarse para provocar una fuga de memoria mediante un archivo FLAC especialmente manipulado. • https://git.xiph.org/?p=flac.git%3Ba=commit%3Bh=4f47b63e9c971e6391590caf00a0f2a5ed612e67 https://lists.debian.org/debian-lts-announce/2021/01/msg00001.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33W6XZAAEJYRGU3XYHRO7XSYEA7YACUB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNZYTAU5UWBVXVJ4VHDWPR66ZVDLQZRE https://secuniaresearch.flexerasoftware.com/advisories/82639 https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 7.5EPSS: 65%CPEs: 1EXPL: 0CVE-2014-9028 – flac: Heap buffer write overflow in read_residual_partitioned_rice_
https://notcve.org/view.php?id=CVE-2014-9028
Heap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file. Desbordamiento de buffer basado en memoria dinámica en stream_decoder.c en libFLAC anterior a 1.3.1 permite a atacantes remotos ejecutar código arbitrario a través de un fichero .flac manipulado. A buffer overflow flaw was found in the way flac decoded FLAC audio files. An attacker could create a specially crafted FLAC audio file that could cause an application using the flac library to crash or execute arbitrary code when the file was read. • http://advisories.mageia.org/MGASA-2014-0499.html http://lists.opensuse.org/opensuse-updates/2014-12/msg00034.html http://packetstormsecurity.com/files/129261/libFLAC-1.3.0-Stack-Overflow-Heap-Overflow-Code-Execution.html http://rhn.redhat.com/errata/RHSA-2015-0767.html http://www.debian.org/security/2014/dsa-3082 http://www.mandriva.com/security/advisories?name=MDVSA-2014:239 http://www.mandriva.com/security/advisories?name=MDVSA-2015:188 http://www.ocert.org/advisories/ocert-2014-008 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVSS: 7.5EPSS: 65%CPEs: 1EXPL: 0CVE-2014-8962 – flac: Buffer read overflow when processing ID3V2 metadata
https://notcve.org/view.php?id=CVE-2014-8962
Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file. Desbordamiento de buffer basado en pila en stream_decoder.c en libFLAC anterior a 1.3.1 permite a atacantes remotos ejecutar código arbitrario a través de un fichero .flac manipulado. A buffer over-read flaw was found in the way flac processed certain ID3v2 metadata. An attacker could create a specially crafted FLAC audio file that could cause an application using the flac library to crash when the file was read. • http://advisories.mageia.org/MGASA-2014-0499.html http://lists.opensuse.org/opensuse-updates/2014-12/msg00034.html http://packetstormsecurity.com/files/129261/libFLAC-1.3.0-Stack-Overflow-Heap-Overflow-Code-Execution.html http://rhn.redhat.com/errata/RHSA-2015-0767.html http://www.debian.org/security/2014/dsa-3082 http://www.mandriva.com/security/advisories?name=MDVSA-2014:239 http://www.mandriva.com/security/advisories?name=MDVSA-2015:188 http://www.ocert.org/advisories/ocert-2014-008 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVSS: 9.3EPSS: 2%CPEs: 1EXPL: 0CVE-2007-6278
https://notcve.org/view.php?id=CVE-2007-6278
Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allows user-assisted remote attackers to force a client to download arbitrary files via the MIME-Type URL flag (-->) for the FLAC image file in a crafted .FLAC file. Free Lossless Audio Codec (FLAC) libFLAC, en versiones anteriores a la 1.2.1, permite que atacantes remotos con intervención del usuario fuercen al cliente a descargar archivos cualesquiera a través de la etiqueta MIME-Type URL (-->) para el fichero de imagen FLAC en un archivo .FLAC manipulado. • http://research.eeye.com/html/advisories/published/AD20071115.html http://securityreason.com/securityalert/3423 http://www.kb.cert.org/vuls/id/544656 http://www.securityfocus.com/archive/1/483765/100/200/threaded http://www.securitytracker.com/id?1018974 • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •