Slashdot Mirror

← Back to Stories (view on slashdot.org)

Multiple FLAC Vulnerabilities Affect Every OS

Posted by kdawson on from the don't-hit-play dept.

Enon writes "eEye Digital Security has discovered 14 vulnerabilities in the FLAC file format that affect a huge range of media players on every supported operating system (Windows, Mac OS, Linux, Unix, BSD, Solaris, and even some hardware players are vulnerable). Heise points out a number of vulnerable apps that use the open source libavcodec audio codec library, which in turn relies on the flawed libFLAC library. These vulnerabilities could allow a person of ill will to trojanize FLAC files that could compromise your computer if they are played on a vulnerable media player. eEye worked with US-CERT to notify vulnerable vendors."

16 of 360 comments (clear)

  1. root listens to audio? by Gothmolly · · Score: 2, Funny

    How often does root listen to audio, esp. considering the new and improved root-like access Ubuntu and Fedora have set up?

    Oh, you mean that a USER could compromise THEIR PERSONAL FILES... well, that does suck, but you have backups, right?

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:root listens to audio? by QuantumG · · Score: 3, Funny

      This is an example of the term "failure of imagination."

      Someone malicious can craft a .flac file which can execute arbitrary code when it is run on an affected player.

      That someone can give that .flac file to someone else who doesn't know it is maliciously crafted and when they play the file, they have given arbitrary code execution privileges to the malicious crafty person.

      I thought everyone got that from the description, but there will always be some ignorant fool who can't help but speak up and, here's the great part, there will always be someone who is even more stupid who mods them up.

      That's the magic of Slashdot.

      --
      How we know is more important than what we know.
    2. Re:root listens to audio? by Goaway · · Score: 2, Funny

      So what exactly is that that you think malware wants to do that it can do as root but not as a user?

    3. Re:root listens to audio? by Anonymous Coward · · Score: 1, Funny

      Audio just doesn't sound the same if it's not run through a process owned by root.

    4. Re:root listens to audio? by paulgrant · · Score: 5, Funny

      or play a video with flac as the audio algorithm.
      right.
      especially if it plays silence on a transparent pixel.
      MAN THIS SUCKS.

    5. Re:root listens to audio? by Gothmolly · · Score: 3, Funny

      What you just described is a virus, and in fact, has existed nearly as long as computers have. If you don't trust your flac-giving buddy, why take anything he gives you at all? The point is that "flac" cannot compromise your system, only your data. Unless you play the file as root.

      --
      I want to delete my account but Slashdot doesn't allow it.
    6. Re:root listens to audio? by definate · · Score: 2, Funny

      It seems you're writing a pro Vista comment...

      We don' like yo' type 'roun' 'ere, yew best keep moving.

      Man, I hope I got my punctuation of the accent correct, or I am going to get reamed by Grammar Nazi's.

      --
      This is my footer. There are many like it, but this one is mine.
    7. Re:root listens to audio? by a_nonamiss · · Score: 4, Funny

      OK, this is Slashdot. Nobody here here has a wife let alone a mistress

      You are right about the backups, though...

      --
      -Arthur
      Cave ne ante ullas catapultas ambules
  2. I bet someone will cop some flack for this.. by QuantumG · · Score: 2, Funny

    HAW HAW HAW.

    --
    How we know is more important than what we know.
  3. The best thing about these vulnerabilities by Anonymous Coward · · Score: 2, Funny

    Is that they're still lossless.

  4. Old McDonald Had a Farm by Lachryma · · Score: 5, Funny

    eEye worked with US-CERT to notify vulnerable vendors.
    If this happened over email, one could consider it eEye e-I/O.
  5. Phew by Frogbert · · Score: 5, Funny

    Good thing no one uses this esoteric "FLAC" format.

  6. Those security tell me to get the FLAC out of here by syousef · · Score: 2, Funny

    I thought they were just being rude. Now I know why.

    --
    These posts express my own personal views, not those of my employer
  7. Some things in life, money can't buy... by Mr2001 · · Score: 5, Funny

    Subscription to Stereophile magazine: $10.

    Additional hard drive to store your lossless music collection: $200.

    Portable audio player that supports FLAC: $300.

    High-end headphones and speakers necessary to hear the difference between MP3/AAC and FLAC: $1000.

    Gold shielded power, speaker, and headphone cables to avoid picking up noise that masks the differences between MP3/AAC and FLAC: $2000.

    Watching all that equipment turn into one big zombie spambot as soon as you press "play": priceless.

    --
    Visual IRC: Fast. Powerful. Free.
    1. Re:Some things in life, money can't buy... by WWWWolf · · Score: 2, Funny

      True audiophiles do not use FLAC encoding! A FLAC-encoded sound will have to be processed using a complex computational process, which will mean it will travel through very, very many transistors in the CPU before it hits the DAC on sound card, thus causing noticeable and very jarring latency in the sound. Even uncompressed files have headers which might affect seek performance. No, true audiophiles use raw sound data - indeed, raw sound files also save disk space, because they don't have headers.

  8. Re:Another idiot gets modded up by silent_artichoke · · Score: 2, Funny

    No, there can't be. I get mod points twice a week... Oh, wait...