Slashdot Mirror


Multiple FLAC Vulnerabilities Affect Every OS

Enon writes "eEye Digital Security has discovered 14 vulnerabilities in the FLAC file format that affect a huge range of media players on every supported operating system (Windows, Mac OS, Linux, Unix, BSD, Solaris, and even some hardware players are vulnerable). Heise points out a number of vulnerable apps that use the open source libavcodec audio codec library, which in turn relies on the flawed libFLAC library. These vulnerabilities could allow a person of ill will to trojanize FLAC files that could compromise your computer if they are played on a vulnerable media player. eEye worked with US-CERT to notify vulnerable vendors."

7 of 360 comments (clear)

  1. Re:root listens to audio? by QuantumG · · Score: 3, Funny

    This is an example of the term "failure of imagination."

    Someone malicious can craft a .flac file which can execute arbitrary code when it is run on an affected player.

    That someone can give that .flac file to someone else who doesn't know it is maliciously crafted and when they play the file, they have given arbitrary code execution privileges to the malicious crafty person.

    I thought everyone got that from the description, but there will always be some ignorant fool who can't help but speak up and, here's the great part, there will always be someone who is even more stupid who mods them up.

    That's the magic of Slashdot.

    --
    How we know is more important than what we know.
  2. Old McDonald Had a Farm by Lachryma · · Score: 5, Funny

    eEye worked with US-CERT to notify vulnerable vendors.
    If this happened over email, one could consider it eEye e-I/O.
  3. Phew by Frogbert · · Score: 5, Funny

    Good thing no one uses this esoteric "FLAC" format.

  4. Re:root listens to audio? by paulgrant · · Score: 5, Funny

    or play a video with flac as the audio algorithm.
    right.
    especially if it plays silence on a transparent pixel.
    MAN THIS SUCKS.

  5. Some things in life, money can't buy... by Mr2001 · · Score: 5, Funny

    Subscription to Stereophile magazine: $10.

    Additional hard drive to store your lossless music collection: $200.

    Portable audio player that supports FLAC: $300.

    High-end headphones and speakers necessary to hear the difference between MP3/AAC and FLAC: $1000.

    Gold shielded power, speaker, and headphone cables to avoid picking up noise that masks the differences between MP3/AAC and FLAC: $2000.

    Watching all that equipment turn into one big zombie spambot as soon as you press "play": priceless.

    --
    Visual IRC: Fast. Powerful. Free.
  6. Re:root listens to audio? by Gothmolly · · Score: 3, Funny

    What you just described is a virus, and in fact, has existed nearly as long as computers have. If you don't trust your flac-giving buddy, why take anything he gives you at all? The point is that "flac" cannot compromise your system, only your data. Unless you play the file as root.

    --
    I want to delete my account but Slashdot doesn't allow it.
  7. Re:root listens to audio? by a_nonamiss · · Score: 4, Funny

    OK, this is Slashdot. Nobody here here has a wife let alone a mistress

    You are right about the backups, though...

    --
    -Arthur
    Cave ne ante ullas catapultas ambules