Arch Linux Security Advisory ASA-201411-30 ========================================== Severity: High Date : 2014-11-26 CVE-ID : CVE-2014-8962 CVE-2014-9028 Package : flac Type : arbitrary code execution Remote : No Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package flac before version 1.3.0-5 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.3.0-5. # pacman -Syu "flac>=1.3.0-5" The problem has been fixed upstream in version 1.3.1-pre1. Workaround ========== None. Description =========== A stack overflow and a heap overflow condition have been found in libFLAC when parsing a maliciously crafted .flac file, which may result in arbitrary code execution. Impact ====== An attacker can execute arbitrary code by supplying a specially crafted .flac file to the libFLAC decoder. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8962 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9028 http://www.ocert.org/advisories/ocert-2014-008.html https://bugs.archlinux.org/task/42898