[flac-dev] Two new CVEs against FLAC

Erik de Castro Lopo mle+la at mega-nerd.com
Tue Nov 25 00:29:33 PST 2014

Hi all,

Google Security Team member, Michele Spagnuolo, recently found two potential
problems in the FLAC code base. They are :

    CVE-2014-9028 : Heap buffer write overflow
    CVE-2014-8962 : Heap buffer read overflow

For Linux distributions, the specific fixes for these two CVEs are available
from Git here:


and are simple enough that they should apply cleanly to the last official
release 1.3.0 and possibly even the previous one, 1.2.1.

A pre-release (version 1.3.1pre1) for the next version which includes these
fixes and more is available here:


A full release (version 1.3.1) will be available in the next couple of days.

Erik de Castro Lopo

More information about the flac-dev mailing list