PT-2017-4110 · Xiph.Org+4 · Flac+4

Published

2017-03-14

·

Updated

2024-06-15

·

CVE-2017-6888

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions FLAC version 1.3.2
Description The issue is related to the read metadata vorbiscomment () function in the src/libFLAC/stream decoder.c component of the FLAC audio codec. It is caused by a lack of resource release after its valid usage period has expired. Exploitation of this issue allows a remote attacker to cause a denial of service. The vulnerability can be exploited via a specially crafted FLAC file, leading to a memory leak.
Recommendations For FLAC version 1.3.2, consider disabling the read metadata vorbiscomment () function as a temporary workaround until a patch is available. Restrict access to specially crafted FLAC files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Missing Release of Resource after Effective Lifetime

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-772

Related Identifiers

ALT-PU-2020-1409
ALT-PU-2020-1697
BDU:2021-03353
CVE-2017-6888
DLA-2514-1
MGASA-2018-0227
OPENSUSE-SU-2019:1225-1
OPENSUSE-SU-2019_1225-1
OPENSUSE-SU-2024:10760-1
SUSE-SU-2019:0920-1
SUSE-SU-2019_0920-1
USN-5733-1

Affected Products

Alt Linux
Flac
Linuxmint
Suse
Ubuntu