New issue
Advanced search Search tips

Issue 854604 link

Starred by 1 user
Status: Assigned
Owner:
dalecur...@chromium.org
Cc:
tommi@chromium.org
foolip@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 837495



Sign in to add a comment

Update libFlac to the latest version of 1.3.2.

Project Member Reported by richard....@sap.com, Jun 20 2018 
Chrome Version: Our vulnerability scan was performed on Chromium embedded Framework 3.3396.1777, which contains Chromium 67.0.3396.79
OS: -

What steps will reproduce the problem?
(1)
(2)
(3)

We perform OSS Security scans of Chromium embedded Framework / Chromium. The scan identified the memory leak, described in CVE-2017-6888 for the copy of project Flac 1.3.1, which is bundled in the Chromium project (see: https://cs.chromium.org/chromium/src/third_party/flac/README?sq&g=0).

More details about the vulnerability: CVE-2017-688: https://cs.chromium.org/chromium/src/third_party/flac/README?sq&g=0.

A correction in the flac project seems to be available with the following commit: https://git.xiph.org/?p=flac.git;a=commit;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67

However I do not know, if this is even exploitable within Chromium.

best regards,
Richard Lorenz

Comment 1 by dtapu...@chromium.org, Jun 20 2018

Cc: tommi@chromium.org foolip@chromium.org
Components: Internals>Media>Codecs
Not sure if this is the right component.

Comment 2 by foolip@chromium.org, Jun 20 2018

Blocking: 837495

Comment 3 by dalecur...@chromium.org, Jun 20 2018 

We don't use libflac for decoding so this doesn't affect us, but probably still worth updating the library.

Comment 4 by richard....@sap.com, Jun 21 2018 

Thank you very much for your comment. In this case I would leave the decision completely up to you, if an update of the library should be performed.

Thanks,
Richard

Comment 5 by dougman@chromium.org, Jul 19

Owner: dalecur...@chromium.org
Status: Assigned (was: Untriaged)

Sign in to add a comment