CVE-2014-9028

Publication date 26 November 2014

Last updated 24 July 2024

Ubuntu priority

Heap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
android	15.10 wily	Ignored
	15.04 vivid	Ignored
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not in release
flac	15.10 wily	Not affected
	15.04 vivid	Fixed 1.3.0-2ubuntu1
	14.10 utopic	Fixed 1.3.0-2ubuntu0.14.10.1
	14.04 LTS trusty	Fixed 1.3.0-2ubuntu0.14.04.1
	12.04 LTS precise	Fixed 1.2.1-6ubuntu0.1
	10.04 LTS lucid	Fixed 1.2.1-2ubuntu0.1

Notes

sbeattie

android moved from libflac 1.2.1 to 1.3.1, plus extra fix listed below

jdstrand

as with previous stagefright issues, this issue affects Ubuntu's android packages, but not in a way that is exposed to apps. See CVE-2015-1538 for details

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
android	Upstream: https://android.googlesource.com/platform/external/flac/+/5859ae22db0a2d16af3e3ca19d582de37daf5eb6%5E!/#F0
flac	Upstream: https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 Upstream: https://git.xiph.org/?p=flac.git;a=commit;h=5a365996d739bdf4711af51d9c2c71c8a5e14660

CVE-2014-9028

Status

Notes

sbeattie

jdstrand

Patch details

References

Related Ubuntu Security Notices (USN)

Other references