[flac-dev] Two new CVEs against FLAC

Declan Kelly flac-dev at groov.ie
Tue Nov 25 08:27:25 PST 2014

On Tue, Nov 25, 2014 at 12:29:33AM -0800, mle+la at mega-nerd.com wrote:
>     CVE-2014-9028 : Heap buffer write overflow
>     CVE-2014-8962 : Heap buffer read overflow

Is it known what other FLAC decoding software or firmware is vulnerable
to these overflows?

Any software player that was derived from the official FLAC codebase
probably is, and most active 3rd party developers will probably get a
new release out soon anyway, even if their code was not vulnerable.

Embedded systems with native FLAC playback, such as DVD players and
portable devices, may never get updated.

   (no microsoft products were used to create this message)
"Mosaic is going to be on every computer in the world." - Marc Andreessen, 1994

More information about the flac-dev mailing list