Vulnerability Name:

CVE-2017-6888 (CCN-125997)

Assigned:2017-05-15
Published:2017-05-15
Updated:2021-02-25
Summary:An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file.
CVSS v3 Severity:5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-772
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2017-6888

Source: CCN
Type: BugTraq Mailing List, Mon, 15 May 2017 11:55:20 +0200 (CEST)
Secunia Research: FLAC "read_metadata_vorbiscomment_()" Memory Leak Denial of Service Vulnerability

Source: XF
Type: UNKNOWN
flac-cve20176888-dos(125997)

Source: CCN
Type: FLAC GIT Repository
stream_decoder.c: Fix a memory leak

Source: CONFIRM
Type: Patch, Third Party Advisory
https://git.xiph.org/?p=flac.git;a=commit;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210104 [SECURITY] [DLA 2514-1] flac security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-ed9c13a1d5

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-a48ccc6754

Source: MISC
Type: Third Party Advisory
https://secuniaresearch.flexerasoftware.com/advisories/82639/

Source: MISC
Type: Third Party Advisory
https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-6888

Vulnerable Configuration:Configuration 1:
  • cpe:/a:flac_project:flac:*:*:*:*:*:*:*:* (Version <= 1.3.2)

  • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:flac_project:flac:1.3.2:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20176888
    V
    CVE-2017-6888
    2023-06-22
    oval:org.opensuse.security:def:7496
    P
    flac-devel-1.3.2-150000.3.11.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:652
    P
    Security update for qemu (Moderate) (in QA)
    2022-10-06
    oval:org.opensuse.security:def:3386
    P
    transfig-3.2.5e-2.3.2 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3398
    P
    wpa_supplicant-2.6-15.10.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94551
    P
    flac-devel-1.3.2-3.9.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:2921
    P
    flac-devel-1.3.2-3.9.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:56
    P
    flac-devel-1.3.2-3.6.1 on GA media (Moderate)
    2022-06-13
    oval:org.opensuse.security:def:352
    P
    rpcbind-0.2.3-5.9.2 on GA media (Moderate)
    2022-06-10
    oval:org.opensuse.security:def:100421
    P
    (Moderate)
    2022-02-21
    oval:org.opensuse.security:def:94266
    P
    (Important)
    2022-02-04
    oval:org.opensuse.security:def:112237
    P
    flac-1.3.3-1.9 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:69744
    P
    Security update for dnsmasq (Moderate)
    2021-10-27
    oval:org.opensuse.security:def:70839
    P
    Security update for strongswan (Important)
    2021-10-19
    oval:org.opensuse.security:def:1485
    P
    Security update for ffmpeg (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:105767
    P
    flac-1.3.3-1.9 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:2123
    P
    libecpg6-10.6-6.25 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:61441
    P
    flac-devel-1.3.2-3.3.20 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:71182
    P
    flac-devel-1.3.2-3.3.20 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:96561
    P
    flac-devel-1.3.2-3.3.20 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:89596
    P
    flac-devel-1.3.2-3.3.20 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:103251
    P
    flac-devel-1.3.2-3.3.20 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:48017
    P
    ghostscript-9.27-23.28.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48002
    P
    eog-3.20.4-7.7 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47334
    P
    libblkid1-2.29.2-2.3 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48138
    P
    libkpathsea6-6.2.0dev-22.3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47426
    P
    libvirglrenderer0-0.5.0-11.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48331
    P
    unrar-5.0.14-3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47574
    P
    clamav-0.100.2-33.18.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48030
    P
    grub2-2.02-12.15.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47788
    P
    libsqlite3-0-3.8.10.2-8.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48101
    P
    libcdio14-0.90-6.3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47999
    P
    ecryptfs-utils-103-8.3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47872
    P
    python3-requests-2.7.0-2.3 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:46888
    P
    apache-commons-daemon-1.0.15-4.181 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47934
    P
    zoo-2.10-1020.56 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47009
    P
    libasan2-32bit-5.3.1+r233831-9.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48003
    P
    evince-3.20.2-6.27.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47202
    P
    apache-commons-httpclient-3.1-4.364 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:100979
    P
    flac-1.3.2-3.3.20 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63422
    P
    flac-1.3.2-3.3.20 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:2382
    P
    flac-1.3.2-3.6.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:107645
    P
    flac-1.3.2-3.3.20 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63471
    P
    flac-1.3.2-3.6.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:2333
    P
    flac-1.3.2-3.3.20 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:100832
    P
    flac-devel-1.3.2-3.6.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:985
    P
    flac-devel-1.3.2-3.6.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62074
    P
    flac-devel-1.3.2-3.6.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:71815
    P
    flac-devel-1.3.2-3.6.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:70952
    P
    libXinerama-devel-1.1.3-1.22 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48463
    P
    libXRes1-1.0.7-3.53 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48555
    P
    libsystemd0-228-117.12 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:46874
    P
    xlockmore-5.43-5.33 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48703
    P
    python-devel-2.7.7-2.36 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:46873
    P
    xinetd-2.3.15-7.7 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48917
    P
    lhasa-0.2.0-5.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48739
    P
    libpcsclite1-32bit-1.8.10-3.7 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48793
    P
    libmysqlclient_r18-10.0.27-12.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:69639
    P
    Security update for ceph (Important)
    2021-05-04
    oval:org.opensuse.security:def:49039
    P
    libuuid-devel-2.33.2-2.13 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:116645
    P
    flac-devel-1.3.2-3.3.20 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:61741
    P
    flac-devel-1.3.2-3.3.20 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:71482
    P
    flac-devel-1.3.2-3.3.20 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:49001
    P
    lcms-1.19-17.31 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:93708
    P
    flac-devel-1.3.2-3.3.20 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:107087
    P
    flac-devel-1.3.2-3.3.20 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:2708
    P
    Security update for MozillaFirefox (Important)
    2020-12-02
    oval:org.opensuse.security:def:2732
    P
    Security update for ImageMagick (Moderate)
    2020-12-02
    oval:org.opensuse.security:def:2748
    P
    Security update for libjpeg-turbo (Moderate)
    2020-12-02
    oval:org.opensuse.security:def:2738
    P
    Security update for ffmpeg (Important)
    2020-12-02
    oval:org.opensuse.security:def:2661
    P
    Security update for MozillaFirefox (Important)
    2020-12-02
    oval:org.opensuse.security:def:2746
    P
    Security update for libqt5-qtimageformats (Moderate)
    2020-12-02
    oval:org.opensuse.security:def:2657
    P
    Security update for ImageMagick (Important)
    2020-12-02
    oval:org.opensuse.security:def:2667
    P
    Security update for openssh (Moderate)
    2020-12-02
    oval:org.opensuse.security:def:2679
    P
    Security update for wireshark (Moderate)
    2020-12-02
    oval:org.opensuse.security:def:2693
    P
    Security update for ghostscript (Important)
    2020-12-02
    oval:org.opensuse.security:def:2699
    P
    Security update for SDL2 (Moderate)
    2020-12-02
    oval:org.opensuse.security:def:49063
    P
    c-ares-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64252
    P
    flac-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50164
    P
    libstaroffice-0_0-0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50493
    P
    Security update for rsyslog (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50389
    P
    Security update for libvirt (Important)
    2020-12-01
    oval:org.opensuse.security:def:49175
    P
    libidn2-0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50254
    P
    transfig on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49093
    P
    flac-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:66296
    P
    Security update for LibreOffice (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49193
    P
    libmicrohttpd12 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50324
    P
    Security update for fuse (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:66388
    P
    flac-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49174
    P
    libidn-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:73079
    P
    flac-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50506
    P
    Security update for clamav (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49320
    P
    python3-urllib3 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50560
    P
    Security update for flac (Low)
    2020-12-01
    oval:org.opensuse.security:def:67499
    P
    Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:49525
    P
    gvim on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:67599
    P
    flac-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:51769
    P
    Security update for gcc9 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49671
    P
    libjasper-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:72961
    P
    Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:49159
    P
    libblkid-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:51831
    P
    Security update for flac (Low)
    2020-12-01
    oval:org.opensuse.security:def:49769
    P
    ant-antlr on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49230
    P
    libserf-1-1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49128
    P
    kernel-firmware on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49926
    P
    python2-pycrypto on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64165
    P
    Security update for spice-gtk (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50420
    P
    Security update for postgresql10 (Moderate)
    2020-12-01
    oval:com.ubuntu.bionic:def:201768880000000
    V
    CVE-2017-6888 on Ubuntu 18.04 LTS (bionic) - low.
    2018-04-25
    oval:com.ubuntu.artful:def:20176888000
    V
    CVE-2017-6888 on Ubuntu 17.10 (artful) - low.
    2018-04-25
    oval:com.ubuntu.xenial:def:20176888000
    V
    CVE-2017-6888 on Ubuntu 16.04 LTS (xenial) - low.
    2018-04-25
    oval:com.ubuntu.xenial:def:201768880000000
    V
    CVE-2017-6888 on Ubuntu 16.04 LTS (xenial) - low.
    2018-04-25
    oval:com.ubuntu.bionic:def:20176888000
    V
    CVE-2017-6888 on Ubuntu 18.04 LTS (bionic) - low.
    2018-04-25
    oval:com.ubuntu.disco:def:201768880000000
    V
    CVE-2017-6888 on Ubuntu 19.04 (disco) - low.
    2018-04-25
    oval:com.ubuntu.cosmic:def:20176888000
    V
    CVE-2017-6888 on Ubuntu 18.10 (cosmic) - low.
    2018-04-25
    oval:com.ubuntu.cosmic:def:201768880000000
    V
    CVE-2017-6888 on Ubuntu 18.10 (cosmic) - low.
    2018-04-25
    oval:com.ubuntu.trusty:def:20176888000
    V
    CVE-2017-6888 on Ubuntu 14.04 LTS (trusty) - low.
    2018-04-25
    BACK
    flac_project flac *
    debian debian linux 9.0
    fedoraproject fedora 32
    fedoraproject fedora 33
    flac_project flac 1.3.2