Headline
Ubuntu Security Notice USN-5733-1
Ubuntu Security Notice 5733-1 - It was discovered that FLAC was not properly performing memory management operations, which could result in a memory leak. An attacker could possibly use this issue to cause FLAC to consume resources, leading to a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. It was discovered that FLAC was not properly performing bounds checking operations when decoding data. If a user or automated system were tricked into processing a specially crafted file, an attacker could possibly use this issue to expose sensitive information or to cause FLAC to crash, leading to a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
==========================================================================Ubuntu Security Notice USN-5733-1November 21, 2022flac vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were fixed in FLAC.Software Description:- flac: Free Lossless Audio CodecDetails:It was discovered that FLAC was not properly performing memory managementoperations, which could result in a memory leak. An attacker could possiblyuse this issue to cause FLAC to consume resources, leading to a denial ofservice. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM andUbuntu 18.04 LTS. (CVE-2017-6888)It was discovered that FLAC was not properly performing bounds checkingoperations when decoding data. If a user or automated system were trickedinto processing a specially crafted file, an attacker could possibly usethis issue to expose sensitive information or to cause FLAC to crash,leading to a denial of service. This issue only affected Ubuntu 14.04 ESM,Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-0499)It was discovered that FLAC was not properly performing bounds checkingoperations when encoding data. If a user or automated system were trickedinto processing a specially crafted file, an attacker could possibly usethis issue to expose sensitive information or to cause FLAC to crash,leading to a denial of service. (CVE-2021-0561)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS: flac 1.3.3-2ubuntu0.1 libflac++6v5 1.3.3-2ubuntu0.1 libflac8 1.3.3-2ubuntu0.1Ubuntu 20.04 LTS: flac 1.3.3-1ubuntu0.1 libflac++6v5 1.3.3-1ubuntu0.1 libflac8 1.3.3-1ubuntu0.1Ubuntu 18.04 LTS: flac 1.3.2-1ubuntu0.1 libflac++6v5 1.3.2-1ubuntu0.1 libflac8 1.3.2-1ubuntu0.1Ubuntu 16.04 ESM: flac 1.3.1-4ubuntu0.1~esm1 libflac++6v5 1.3.1-4ubuntu0.1~esm1 libflac8 1.3.1-4ubuntu0.1~esm1Ubuntu 14.04 ESM: flac 1.3.0-2ubuntu0.14.04.1+esm1 libflac++6 1.3.0-2ubuntu0.14.04.1+esm1 libflac8 1.3.0-2ubuntu0.14.04.1+esm1In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-5733-1 CVE-2017-6888, CVE-2020-0499, CVE-2021-0561Package Information: https://launchpad.net/ubuntu/+source/flac/1.3.3-2ubuntu0.1 https://launchpad.net/ubuntu/+source/flac/1.3.3-1ubuntu0.1 https://launchpad.net/ubuntu/+source/flac/1.3.2-1ubuntu0.1Related news
Improper Authentication vulnerability in the encrypted volumes and auto mount features of Western Digital My Cloud devices allows insecure direct access to the drive information in the case of a device reset. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux.
An update for flac is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-0561: flac: out of bound write in append_to_verify_fifo_interleaved_ of stream_encoder.c
In append_to_verify_fifo_interleaved_ of stream_encoder.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174302683
In onHandleIntent of TraceService.java, there is a possible bypass of developer settings requirements for capturing system traces due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-11 Android ID: A-142936525
In onHandleIntent of TraceService.java, there is a possible bypass of developer settings requirements for capturing system traces due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-11 Android ID: A-142936525