CVE-2017-6888
First published: Wed Apr 25 2018(Updated: )
An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file.
Credit: PSIRT-CNA@flexerasoftware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FLAC | <=1.3.2 | |
| Debian Debian Linux | =9.0 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.xiph.org/?p=flac.git;a=commit;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67
- https://lists.debian.org/debian-lts-announce/2021/01/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33W6XZAAEJYRGU3XYHRO7XSYEA7YACUB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KNZYTAU5UWBVXVJ4VHDWPR66ZVDLQZRE/
- https://secuniaresearch.flexerasoftware.com/advisories/82639/
- https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/
- https://git.xiph.org/?p=flac.git%3Ba=commit%3Bh=4f47b63e9c971e6391590caf00a0f2a5ed612e67
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33W6XZAAEJYRGU3XYHRO7XSYEA7YACUB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNZYTAU5UWBVXVJ4VHDWPR66ZVDLQZRE/
Frequently Asked Questions
What is CVE-2017-6888?
CVE-2017-6888 is a vulnerability in FLAC version 1.3.2 that can be exploited to cause a memory leak via a specially crafted FLAC file.
How severe is CVE-2017-6888?
CVE-2017-6888 has a severity keyword of 'medium' and a severity value of 5.5.
Which software versions are affected by CVE-2017-6888?
CVE-2017-6888 affects FLAC version 1.3.2, Debian Linux version 9.0, Fedora version 32, and Fedora version 33.
How can CVE-2017-6888 be exploited?
CVE-2017-6888 can be exploited by using a specially crafted FLAC file.
How can I fix CVE-2017-6888?
To fix CVE-2017-6888, update to a version of FLAC that is not affected by the vulnerability.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/last-modified-date
- agent/remedy
- agent/author
- agent/weakness
- agent/event
- agent/first-publish-date
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/flac project
- canonical/flac
- version/flac/1.3.2
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33