CVE-2020-22219: Buffer Overflow
First published: Tue Aug 22 2023(Updated: )
Buffer Overflow vulnerability in function bitwriter_grow_ in flac before 1.4.0 allows remote attackers to run arbitrary code via crafted input to the encoder.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/flac | <=1.3.2-3+deb10u2 | 1.3.2-3+deb10u3 1.3.3-2+deb11u2 1.4.2+ds-2 1.4.3+ds-2 |
| ubuntu/flac | <1.3.3-1ubuntu0.2 | 1.3.3-1ubuntu0.2 |
| ubuntu/flac | <1.3.3-2ubuntu0.2 | 1.3.3-2ubuntu0.2 |
| ubuntu/flac | <1.3.2-1ubuntu0.1+ | 1.3.2-1ubuntu0.1+ |
| ubuntu/flac | <1.3.0-2ubuntu0.14.04.1+ | 1.3.0-2ubuntu0.14.04.1+ |
| ubuntu/flac | <1.3.1-4ubuntu0.1~ | 1.3.1-4ubuntu0.1~ |
| ubuntu/flac | <1.4.0 | 1.4.0 |
| redhat/flac | <1.4.2 | 1.4.2 |
| FLAC | <1.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/xiph/flac/issues/215
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZD2AJTU4PCJQP7HPTS2L2ELJWBASCRGD/
- https://www.debian.org/security/2023/dsa-5500
- https://lists.debian.org/debian-lts-announce/2023/09/msg00028.html
- https://launchpad.net/bugs/cve/CVE-2020-22219
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZD2AJTU4PCJQP7HPTS2L2ELJWBASCRGD/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2235580
- https://access.redhat.com/errata/RHSA-2023:5042
- https://access.redhat.com/errata/RHSA-2023:5043
- https://access.redhat.com/errata/RHSA-2023:5044
- https://access.redhat.com/errata/RHSA-2023:5047
- https://access.redhat.com/errata/RHSA-2023:5045
- https://access.redhat.com/errata/RHSA-2023:5046
- https://access.redhat.com/errata/RHSA-2023:5048
- https://bugzilla.redhat.com/show_bug.cgi?id=2235489
- https://github.com/xiph/flac/pull/419
- https://github.com/xiph/flac/commit/21fe95ee828b0b9b944f6aa0bb02d24fbb981815
- https://security-tracker.debian.org/tracker/CVE-2020-22219
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22219
- https://ubuntu.com/security/notices/USN-6360-1
- https://ubuntu.com/security/notices/USN-6360-2
- https://nvd.nist.gov/vuln/detail/CVE-2020-22219
- https://ubuntu.com/security/CVE-2020-22219
Frequently Asked Questions
What is the vulnerability ID of this vulnerability?
The vulnerability ID of this vulnerability is CVE-2020-22219.
What is the severity level of CVE-2020-22219?
The severity level of CVE-2020-22219 is high with a CVSS score of 7.8.
How does the vulnerability in function bitwriter_grow_ in flac before 1.4.0 occur?
The vulnerability in function bitwriter_grow_ in flac before 1.4.0 occurs due to a buffer overflow, allowing remote attackers to run arbitrary code via crafted input to the encoder.
Which versions of flac are affected by this vulnerability?
Versions of flac up to and including 1.4.0 are affected by this vulnerability.
How can I fix CVE-2020-22219?
To fix CVE-2020-22219, update to version 1.4.2 of flac or later.
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-22219
- agent/author
- agent/description
- agent/severity
- agent/remedy
- agent/weakness
- agent/references
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- agent/softwarecombine
- package-manager/debian
- package-manager/ubuntu
- package-manager/redhat
- vendor/flac project
- canonical/flac