CVE-2014-9028

NameCVE-2014-9028
DescriptionHeap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-99-1, DSA-3082-1
Debian Bugs770918

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
flac (PTS)jessie, jessie (lts)1.3.0-3+deb8u3fixed
stretch (security)1.3.2-2+deb9u2fixed
stretch (lts), stretch1.3.2-2+deb9u3fixed
buster (security), buster, buster (lts)1.3.2-3+deb10u3fixed
bullseye (security), bullseye1.3.3-2+deb11u2fixed
bookworm1.4.2+ds-2fixed
sid, trixie1.4.3+ds-2.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
flacsourcesqueeze1.2.1-2+deb6u1DLA-99-1
flacsourcewheezy1.2.1-6+deb7u1DSA-3082-1
flacsource(unstable)1.3.0-3770918

Notes

Upstream patches:
https://github.com/xiph/flac/commit/fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 (1.3.1pre1)
https://github.com/xiph/flac/commit/5a365996d739bdf4711af51d9c2c71c8a5e14660 (1.3.1)
Search for package or bug name: Reporting problems