Multiple FLAC Vulnerabilities Affect Every OS

Enon writes "eEye Digital Security has discovered 14 vulnerabilities in the FLAC file format that affect a huge range of media players on every supported operating system (Windows, Mac OS, Linux, Unix, BSD, Solaris, and even some hardware players are vulnerable). Heise points out a number of vulnerable apps that use the open source libavcodec audio codec library, which in turn relies on the flawed libFLAC library. These vulnerabilities could allow a person of ill will to trojanize FLAC files that could compromise your computer if they are played on a vulnerable media player. eEye worked with US-CERT to notify vulnerable vendors."

Re:But I thought that this didn't happen with FOSS

[Tweekster]

The fact you are an MS developer pretty much explains why you are that stupid.

Re:Thank you eEye and Devs

[pclminion]

A sincere Thank You for your efforts, identifying the issue and alerting the Devs, and correcting the problem. This is the way things were meant to work, as so eloquently put elsewhere.

Yeah. A sincere thank you to the engineers who designed that bridge which fell down due to not one, but multiple catastrophic flaws. I'm sure you'll do better next time. This is the way engineering is supposed to work.

Wait, no it isn't.

Re:root listens to audio?

[russ1337]

It is difficult to get Vista hosed by malware compared to XP.

Newsflash. Vista is the malware.

Re:guard pages, bit masks, and so on: better

[pclminion]

None of what you just described counts as a "sanity check." It's more like putting an immensely complicated band-aid on the problem so that when things do explode they explode in a predictable way. This can be a good thing in certain fields. If failure of your software might cause somebody's death, then yes, you want complete assurance that things cannot silently go wrong. But failing that, this is nothing but a poor substitute for good coding practice.

If you have so much doubt in your own code, why do you trust yourself to correctly execute this complex plan? "Well, I package it up in a function so I only have to get it right once." Yeah... Ever thought of applying that concept to, I don't know, THE REST OF YOUR CODE?

Re:Jailbreak!!

No, they simply wanted to foist their own proprietary formats upon users and thus tie them down to the iPod platform, as with their lovely DRMless music from iTMS, they're bastards and we wouldn't accept it from anyone else but people just seem happy to be shafted by steve and co.

Re:guard pages, bit masks, and so on: better

[pclminion]

Aren't we prideful. Do you work for Microsoft or something? Everyone makes mistakes. In the real world, you should program in as many sanity checks as you can. Over compensating for potential problems will usually lead to more secure and stable programs, or at the very least make it fail in a less catastrophic way.

Where did I say we didn't need sanity checks? What I said was, this DOESN'T EVEN COUNT as a sanity check. You could do all this crap so that you feel comfortable AVOIDING real sanity checks, OR, you could check if the index you are about to reference is in range or not. THAT'S a sanity check. I really can't imagine how you read the complete opposite of what I meant.

What r00t is suggesting is like pointing a gun at your wife but hey, at least you made sure she was wearing a bulletproof vest. What I'm suggesting is to not point the gun at your wife at all.

Another idiot gets modded up

[QuantumG]

Fuck Slashdot. Is there an algorithm for choosing the most stupid people to moderate or what?