Short Name |
HTTP:STC:DL:LIBFLAC-PIC-DESC |
---|---|
Severity |
High |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
FLAC Project libFLAC Picture Metadata Picture Description Size Buffer Overflow |
Release Date |
2010/10/19 |
Update Number |
1794 |
Supported Platforms |
idp-4.0+, isg-3.1.134269+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vsrx-12.1+ |
This signature detects attempts to exploit a known heap memory overflow vulnerability in the Free Lossless Audio Codec (FLAC) library embedded and used by various products. It is due to boundary errors when processing FLAC audio files. A remote attacker can exploit this by enticing the target user to open a crafted FLAC audio file. A successful attack can lead to arbitrary code execution in the security context of the affected application, normally using the privileges of the logged in user. The behavior of the target host is entirely dependent on the intended function of the injected code. In an unsuccessful attack, the application that processes the malicious FLAC file terminates abnormally.
FLAC (Free Lossless Audio Codec) is prone to multiple remote integer-overflow vulnerabilities because the application fails to bounds-check user-supplied data before allocating memory. Remote attackers may exploit these issues by enticing victims into opening maliciously crafted FLAC files. An attacker can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service. FLAC 1.2.0 is vulnerable; other versions may also be affected. NOTE: Applications that include the affected libFLAC library are also affected.