oCERT-2014-008 libFLAC multiple issues

Description:

FLAC is an open source lossless audio codec supported by several software and music players.

The libFLAC project, an open source library implementing reference encoders and decoders for native FLAC and Ogg FLAC audio content, suffers from multiple implementation issues.

In particular, a stack overflow and a heap overflow condition, which may result in arbitrary code execution, can be triggered by passing a maliciously crafted .flac file to the libFLAC decoder.

Affected version:

libFLAC <= 1.3.0

The following packages were identified as affected as they statically include libFLAC in their own packages.

Max <= 0.9.1

Cog <= 0.07

CINELERRA <= 4.6

JUCE <= 3.1.0 (juce_audio_formats module)

Fixed version:

libFLAC >= 1.3.1

Max, N/A

Cog, N/A

CINELERRA, N/A

JUCE >= 3.1.1

Credit: vulnerability report from Michele Spagnuolo of Google Security Team <mikispag AT google.com>.

CVE: CVE-2014-8962 (stack overflow), CVE-2014-9028 (heap overflow)

Timeline:

2014-11-12: heap overflow report received
2014-11-12: contacted maintainer
2014-11-14: patch provided by maintainer
2014-11-17: reporter confirms patch
2014-11-20: stack overflow vulnerability reported
2014-11-21: assigned CVE (heap overflow)
2014-11-22: contacted affected vendors
2014-11-23: contacted additional affected vendors
2014-11-25: advisory release
2014-12-12: updated information about JUCE fixed versions

References:
https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e
https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85