PT-2017-4110 · Xiph.Org+4 · Flac+4

Publicado

2017-03-14

·

Atualizado

2024-06-15

·

CVE-2017-6888

CVSS v3.1

5.5

Média

VetorAV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions FLAC version 1.3.2
Description The issue is related to the read metadata vorbiscomment () function in the src/libFLAC/stream decoder.c component of the FLAC audio codec. It is caused by a lack of resource release after its valid usage period has expired. Exploitation of this issue allows a remote attacker to cause a denial of service. The vulnerability can be exploited via a specially crafted FLAC file, leading to a memory leak.
Recommendations For FLAC version 1.3.2, consider disabling the read metadata vorbiscomment () function as a temporary workaround until a patch is available. Restrict access to specially crafted FLAC files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Missing Release of Resource after Effective Lifetime

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-772

Identificadores relacionados

ALT-PU-2020-1409
ALT-PU-2020-1697
BDU:2021-03353
CVE-2017-6888
DLA-2514-1
MGASA-2018-0227
OPENSUSE-SU-2019:1225-1
OPENSUSE-SU-2019_1225-1
OPENSUSE-SU-2024:10760-1
SUSE-SU-2019:0920-1
SUSE-SU-2019_0920-1
USN-5733-1

Produtos afetados

Alt Linux
Flac
Linuxmint
Suse
Ubuntu