Multiple FLAC Vulnerabilities Affect Every OS

Enon writes "eEye Digital Security has discovered 14 vulnerabilities in the FLAC file format that affect a huge range of media players on every supported operating system (Windows, Mac OS, Linux, Unix, BSD, Solaris, and even some hardware players are vulnerable). Heise points out a number of vulnerable apps that use the open source libavcodec audio codec library, which in turn relies on the flawed libFLAC library. These vulnerabilities could allow a person of ill will to trojanize FLAC files that could compromise your computer if they are played on a vulnerable media player. eEye worked with US-CERT to notify vulnerable vendors."

Sanity checks:

[andreyvul]

Perform them.

Re:But I thought that this didn't happen with FOSS

[Locklin]

Not that I like feeding trolls, but wake up, no one here think's FLOSS == perfect security, that's why both my Ubuntu and Fedora machine get software updates on a regular basis. The primary difference between FLOSS and proprietary security is transparency: do you know how many ten year old bugs are sitting in Windows or IE which Microsoft refuses to fix? Unless you work for them, you likely don't have a clue.

Re:But I thought that this didn't happen with FOSS

[Crypto+Gnome]

Firstly...

libFLAC version 1.2.1 was released in September, 2007, fixing these vulnerabilities for most vulnerable applications.
Secondly...

this isn't supposed to happen with FOSS Actually exactly this IS supposed to happen with FOSS.

Where this is .... someone other than the original developer(s) read through the original source code in order to identify vulnerabilities, and then provided information about said vulnerabilities back to the original developer(s) who promptly resolved the aforementioned vulnerabilities, with many thanks"

Re:But I thought that this didn't happen with FOSS

[BlueParrot]

So this is really ironic - Its my understating from reading hundreds and hundreds of /. posts that this isn't supposed to happen with FOSS. Only Micro$oft developers are supposed to have security bugs like this.

You misunderstood. Where FLOSS differs from microsoft is:

a)This bug was discovered by third parties because they had access to the source
b)The bug is already fixed
c)Even on still vulnerable systems it wouldn't give you root access
d)It would have to rely on special plugins or user action
e)The problem is clearly described and documented allowing users to take precautions

Compare this to a vaguely described bug in your rendering engine for animated cursors enabling arbitrary webpages to compromise kernel space, and this not being fixed for days or even weeks despite documented exploits in the wild.

Somehow I don't see the irony.

Thank you eEye and Devs

[awfar]

A sincere Thank You for your efforts, identifying the issue and alerting the Devs, and correcting the problem.

This is the way things were meant to work, as so eloquently put elsewhere.

the whole point: it's NOT sanity checking

[r00t]

It's well-known that people tend to botch sanity checking. Thus, we should seek alternatives.

My solution is far less complicated in total. Yeah, setting up a guard page isn't taught in Programming for Dummies. It's not a lot of code though, it's easy to test, and it's damn reliable.

People who write secure code try to avoid having to trust themselves to get everything right. People who write insecure code think that somehow, despite decades of failure, they'll get it all right. Look ma, no bugs! Sure...

Re:the whole point: it's NOT sanity checking

[r00t]

Heh.

Studies show that nearly everybody thinks he is a better-than-average driver.

Kind of the same problem, no? Maybe this is why we require safety equipment.