{"id":"CVE-2017-12678","details":"In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2framefactory.cpp has a pointer to cast vulnerability, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted audio file.","modified":"2026-03-15T22:14:12.397236Z","published":"2017-08-08T01:34:00.080Z","related":["MGASA-2017-0286","openSUSE-SU-2024:11421-1"],"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00020.html"},{"type":"FIX","url":"https://github.com/taglib/taglib/commit/cb9f07d9dcd791b63e622da43f7b232adaec0a9a"},{"type":"FIX","url":"https://github.com/taglib/taglib/issues/829"},{"type":"FIX","url":"https://github.com/taglib/taglib/pull/831"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/taglib/taglib","events":[{"introduced":"0"},{"last_affected":"e36a9cabb9882e61276161c23834d966d62073b7"},{"fixed":"cb9f07d9dcd791b63e622da43f7b232adaec0a9a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.11.1"}]}}],"versions":["v1.10","v1.10beta","v1.11","v1.11.1","v1.11beta","v1.11beta2","v1.5","v1.6","v1.6.1","v1.6.2","v1.6.3","v1.6rc1","v1.7","v1.7.1","v1.7.2","v1.7rc1","v1.8","v1.8beta","v1.9","v1.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-12678.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"vanir_signatures":[{"target":{"function":"FrameFactory::rebuildAggregateFrames","file":"taglib/mpeg/id3v2/id3v2framefactory.cpp"},"signature_type":"Function","deprecated":false,"source":"https://github.com/taglib/taglib/commit/cb9f07d9dcd791b63e622da43f7b232adaec0a9a","digest":{"function_hash":"63189154665858681151973652675033772745","length":1162},"signature_version":"v1","id":"CVE-2017-12678-51e627e6"},{"target":{"file":"taglib/mpeg/id3v2/id3v2framefactory.cpp"},"signature_type":"Line","deprecated":false,"source":"https://github.com/taglib/taglib/commit/cb9f07d9dcd791b63e622da43f7b232adaec0a9a","digest":{"threshold":0.9,"line_hashes":["220139894708303143899526924524560798224","331122330798241866706006235958792627874","115681426174653110933180385216535435262","143728083367336673008615923459110808737","100579267743060690021987545153789673597","321646883927881145213580466139976781879"]},"signature_version":"v1","id":"CVE-2017-12678-99eaacdd"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}