Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4619 to the following vulnerability: Multiple integer overflows in Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1, as used in Winamp before 5.5 and other products, allow user-assisted remote attackers to execute arbitrary code via a malformed FLAC file that triggers improper memory allocation, resulting in a heap-based buffer overflow. References: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=608 http://flac.sourceforge.net/changelog.html#flac_1_2_1
Created attachment 227581 [details] Probably the fix for CVE-2007-4619 sucked from upstream CVS
Looks like an update would be needed on FC6, F7, RHEL3, RHEL4, and RHEL5. Only problem being that we can't upgrade to 1.2.1 in any of those, as 1.1.3 changed the API considerably, and the patch would only apply cleanly to 1.2.0 (which we don't use anywhere, otherwise, we'd just upgrade it to 1.2.1).
See also bug #415581
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-0975.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2596
*** Bug 415581 has been marked as a duplicate of this bug. ***