Slashdot Mirror
Multiple FLAC Vulnerabilities Affect Every OS
Enon writes "eEye Digital Security has discovered 14 vulnerabilities in the FLAC file format that affect a huge range of media players on every supported operating system (Windows, Mac OS, Linux, Unix, BSD, Solaris, and even some hardware players are vulnerable). Heise points out a number of vulnerable apps that use the open source libavcodec audio codec library, which in turn relies on the flawed libFLAC library. These vulnerabilities could allow a person of ill will to trojanize FLAC files that could compromise your computer if they are played on a vulnerable media player. eEye worked with US-CERT to notify vulnerable vendors."
Perform them.
proud caffeine whore
How often does root listen to audio, esp. considering the new and improved root-like access Ubuntu and Fedora have set up?
Oh, you mean that a USER could compromise THEIR PERSONAL FILES... well, that does suck, but you have backups, right?
I want to delete my account but Slashdot doesn't allow it.
HAW HAW HAW.
How we know is more important than what we know.
Possibly another way to jailbreak your iPhone or install Linux on your iPod.
Is that they're still lossless.
It's like a zip/bzip/gzip file, once uncompressed, it's binary equal.
"Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
It's kind of like running winzip on your wav files. All the data is there, but it fits in a smaller space. Of course, they don't use winzip's compression algorithms because that's really bad at compressing audio. They have special algorithms that are much better at recognizing patterns in wav files. I'm not completely sure how it works, but that's my understanding of it, and the easiest I can explain it.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Just think about "ziping" a text file. It is smaller than the original file ("compressed") yet when you "unzip" it ALL of the information is still there ("lossless").
FLAC and SHN (shorten) are basically fancy ways of "ziping" a file of audio. So, they are effectively the same thing as the original WAV (what is on the CD).
This of course leaves out any discussion on digital v. analog audio quality, but that is beside the point.
Yes, I over-over-simplified. But it gets the point across.
If you rip a Audio CD to MP3,AAC,WMA or OGG that is lossy compression. There is no way of getting the original data back. If you compress it with FLAC, you can get the exact bits present on the original Audio CD. Note that we are talking about only digital conversions. How the CD was mastered from the analog source is a complete different matter and has nothing to do with FLAC.
This space for rent.
Not that I like feeding trolls, but wake up, no one here think's FLOSS == perfect security, that's why both my Ubuntu and Fedora machine get software updates on a regular basis. The primary difference between FLOSS and proprietary security is transparency: do you know how many ten year old bugs are sitting in Windows or IE which Microsoft refuses to fix? Unless you work for them, you likely don't have a clue.
"Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
The difference between this and a closed-source product is that now that the holes have been discovered, anybody can fix them. It's not going to be me, however, as I am far too lazy.
Secondly... this isn't supposed to happen with FOSS Actually exactly this IS supposed to happen with FOSS.
Where this is
Visit CryptoGnome in his home.
If you're using Ubuntu, the latest security updates should have fixed this already (for a few days, I believe). The Ubuntu security team has USN-540-1 as a notification. It looks like it's an issue in Ubuntu 6.06 LTS, Ubuntu 6.10, Ubuntu 7.04, and Ubuntu 7.10 (at least), and their respective Kubuntu/Edubuntu/Xubuntu releases.
All you really need to update looks to be libflac7 or libflac8, whichever exists on your system (8 is only for Gutsy, aka 7.10), though it's probably a good idea to update all the security updates anyway.
Good thing no one uses this esoteric "FLAC" format.
Lots of people screw up the sanity checks. C has some interesting properties that people struggle with: signed+unsigned promotes to unsigned, and the compiler is allowed to generate code which assumes that signed wrap-around will never happen. Plus people just plain screw up. I'll bet the FLAC code even had sanity checks, just not correct ones.
Sanity checks are also low-performance.
Suppose you want a 1 MB buffer. Allocate that, plus 2 pages, plus another page if your allocator doesn't give you page alignment. (mmap does, malloc does not -- you should use mmap to be 100% legit here) Round up to a page if you used malloc. Make that page unreadable via the mprotect call. The next page will start your 1 MB buffer. After the end of that buffer is one more page that you also make unreadable. Now you're safe from regular overflows in that buffer.
You still risk jumping out of the buffer when you add a potentially big offset. Here, you use the mask. Take an offset into the buffer, add/subtract the untrusted data, mask with 0xfffff for 1 MB, and now you have a fresh new offset that will be within the buffer.
Regular overflows will hit the unreadable page. If you do nothing extra, the result is a safe crash. You might use the fork call to create a child process that you don't mind losing. Alternately, you can use sigsetjmp and siglongjmp to handle the situation. Set up a signal handler for signal 11 that will call siglongjmp. Call sigsetjmp prior to entering the code which handles untrusted data. If the code takes the exception path (signal and siglongjmp), then you know the untrusted data was bad. (for extra points, verify that the guard page was hit and call _exit if not -- see the sigaction documentation for how to get this info)
You misunderstood. Where FLOSS differs from microsoft is:
a)This bug was discovered by third parties because they had access to the source
b)The bug is already fixed
c)Even on still vulnerable systems it wouldn't give you root access
d)It would have to rely on special plugins or user action
e)The problem is clearly described and documented allowing users to take precautions
Compare this to a vaguely described bug in your rendering engine for animated cursors enabling arbitrary webpages to compromise kernel space, and this not being fixed for days or even weeks despite documented exploits in the wild.
Somehow I don't see the irony.
If that really is your understanding, then you could benefit from either spending a bit of time improving your comprehension skills, or paying less attention to the trolls.
The difference between the development models and philosophies usually becomes apparent when the flaws are discovered. How long will it take for the libFLAC flaws to be fixed? How does this compare to closed-source applications with similar flaws? How long will it take for companies using libFLAC within their proprietary players take to incorporate the fixes and release them to their customers?
Many closed-source companies sit on vulnerabilities until they're publically reported, and even then take their sweet time addressing them. The time between discovery of problems and fixes being available is generally pretty good in open source projects. Microsoft is no exception to this <troll>although they do respond remarkably quickly when flaws in their DRM measures are discovered</troll>.
One interesting issue this raises though is the number of programs and devices which are affected. If libFLAC wasn't available for everyone to use, then we'd likely have multiple implementations of it and a flaw in libFLAC wouldn't affect so many devices. For example, if the Fraunhoffer decoder had similar problems, it wouldn't effect most mp3 players because there's so many different decoder implementations. So even though libFLAC being open source does make it technically easier to produce a competing implementation, it also reduces the incentive to do so. So does open source potentially contribute to creating a software monoculture?
Also some nitpicking of the article summary:
eEye Digital Security has discovered 14 vulnerabilities in the FLAC file formatHow can a file format have vulnerabilities? Surely the vulnerability exists in code that reads and interprets the bytestream, not in the format itself.
I thought they were just being rude. Now I know why.
These posts express my own personal views, not those of my employer
libavcodec never ever used libFLAC, it has its own FLAC encoding & decoding code, hence not affected. Lousy journalism on Heise part.
Never learn by your mistakes, if you do you may never dare to try again
it's a bunch of bugs in the libFLAC that is used in a heck of a lot of apps.
Its an example of a particular implementation becoming the standard. They might as well not even have a file format specification.
How we know is more important than what we know.
Subscription to Stereophile magazine: $10.
Additional hard drive to store your lossless music collection: $200.
Portable audio player that supports FLAC: $300.
High-end headphones and speakers necessary to hear the difference between MP3/AAC and FLAC: $1000.
Gold shielded power, speaker, and headphone cables to avoid picking up noise that masks the differences between MP3/AAC and FLAC: $2000.
Watching all that equipment turn into one big zombie spambot as soon as you press "play": priceless.
Visual IRC: Fast. Powerful. Free.
A sincere Thank You for your efforts, identifying the issue and alerting the Devs, and correcting the problem.
This is the way things were meant to work, as so eloquently put elsewhere.
echo "export LD_PRELOAD=/home/you/rootkit.so" >>
From there, all your processes contain rootkit.so as a library. It can replace functions in the C library. Your editor won't open /home/you/.bashrc when you ask it to; it will instead open a different file.
You're so pwn3d.
You'd be safe if you had Bitfrost, like the OLPC XO does. There, apps don't get to mess with your files except when you actively hand the file over.
Software vulnerabilities crop up frequently, it's inherent in complex systems. The question comes to how users are treated and what freedoms they have to help one another and help themselves. With proprietary software, users must wait for the proprietor to supply a fix. All users of proprietary software are trapped in a monopoly. With free software users have the freedom to inspect, share, and modify the software at any time (or get someone else to do this work for them). Users don't have to wait to discover bugs or wait to get them fixed.
There are also related benefits when it comes to adding features users want and keeping prices low through competition and doing favors for friends.
I don't champion "open source" because I'm not particularly interested in making a business-first argument about developer efficiency (which is a bit of a myth) or going on about the latest twist on 'many hands make light work' (many eyes do help reduce bugs, but some bugs will apparently escape a lot of programmers). Instead I'd rather focus on how freedom places the control of my computer in my hands, leaving it to me to decide how much time and effort I want to put into improving my software. I've come to expect these freedoms with my house, my car, my plumbing, my electricity, and other things despite that I'm not a carpenter, mechanic, plumber, or electrician. I wouldn't trade away the freedom to criticize my government despite not being a great writer. So too I should cherish software freedom for its own sake. So it seems entirely right and proper to focus on this freedom and stress free software's inherently better way of treating users over proprietary software. Tossing aside this concern means treating freedom the same way as being trapped by monopolists.
Digital Citizen
Not to sound trollish - but what imaginary world do you live in? Buggy software is a fact of life for the most part - it is created by humans and we all make mistakes. So, what software do you use that has never had to be updated or had a bug fix?
It's well-known that people tend to botch sanity checking. Thus, we should seek alternatives.
My solution is far less complicated in total. Yeah, setting up a guard page isn't taught in Programming for Dummies. It's not a lot of code though, it's easy to test, and it's damn reliable.
People who write secure code try to avoid having to trust themselves to get everything right. People who write insecure code think that somehow, despite decades of failure, they'll get it all right. Look ma, no bugs! Sure...
Buggy software is a fact of life for the most part - it is created by humans and we all make mistakes.
When is the last time you were driving and the road just COLLAPSED? The bridge fell down? Your car spontaneously burst into flames? When's the last time you plugged an electrical appliance into a wall and got shocked? Last time your plasma television went nuts and shot laser beams at your cat? When's the last time the case of your box fan failed and the blades went flying through the air, decapitating you?
When's the last time you saw a piece of software crash?
It's true. Humans aren't perfect. And yet we somehow design bridges (for the most part) that DON'T fail, cars that DON'T explode, appliances that DON'T electrocute us, and televisions that DON'T shoot laser beams. When these things do, rarely, occur, we hold the engineers LEGALLY RESPONSIBLE for the consequences.
We programmers are used to working under a "fog of wizardom" where our actions are taken as mysterious, inexplicable, incomprehensible, and genius. We coasted for decades by pulling the wool over the world's eyes this way. But the reality is, writing code is no more complicated than building a bridge or putting together a car engine. We consider these sorts of workers "blue collar." Most programmers today don't even design the code they write -- they write to a specification written by somebody who is probably only marginally more competent than they are. The world is waking up to the reality that most programmers, like most people in general, absolutely suck at what they do. And this "fog of wizardom" is going to dissipate. Rapidly.
The day is coming where software writers will be held accountable for the flaws they create, at least those which result in actual harm, whether human or financial. I suspect that a great many programmers will simply drop out of the workforce rather than face legal consequences for their failures.
The summary inherited the lousy description in the title of the article.
I see nothing to indicate that these vulnerabilities are in FLAC files. They seem to be in the reference implementation of the decoder. An exploit would be in FLAC files.
Come on, guys! You're running a Geek website here!
-Peter
The security impact of open source software is not that it has less bugs, but that they get found because people can analyze the source. Read this article and you'll see that's exactly what happened. It's good news.
You will have bugs in your software, and they will be found. The difference is are they found by 'good guys' that will warn you and help you fix it or are they found by 'bad guys' that root your system?
God, is this like the retard thread on Slashdot now?
The code has been fixed. Yes, there really were security bugs in the libFLAC library. Shocking isn't it? Software had bugs in it! People found those bugs! People fixed those bugs!
How we know is more important than what we know.
The WMV format is "restricted" or, as the FSF terms it, "defective", as a matter of its design. I'd show you some docs, but they're probably not freely available anywhere for me to access them...
/. be without a little trolling here and there to provide a nice garnish to the stories?)
There might be buffer overflow bugs in the FLAC reference software, but I don't think that the bugs are there by design.
(I agree that tags like "Micro$oft" probably aren't the most grown-up thing to post, but what would
coding is life
1. Linux security has been going down since about 2001 (who doesn't have a personal kernel exploit they haven't told Linus?)
2. I hardly think libFLAC counts as an "essential Linux library".
How we know is more important than what we know.
Vista has some security improvements if Vista is used correctly, but MS still missed the boat in a big way.
The fundamental problem is people running under an admin account. Vista does not solve this basic problem.
When you install Vista (or run for the first time), it guides you through creating an account. If you actually read the dialog (hint: most people won't), it tells you that this first account is an admin account. The problem is that for most folks, that is the only account they ever bother to set up, and it is the only account they use.
To use Vista properly, you have to then set up a normal user account (something you are -not- guided through by the setup wizard) and use that account. It is not obvious to the typical user, and even as an experienced user I had to navigate a fairly unintuitive interface to do it.
IOW, I really had to -want- to create a normal user -and- go out of my way to do that.
MS had the opportunity to fix their wizard so that it creates -both- an admin and non-admin user and tell the user to use the non-admin account, but for some unfathomable reason they didn't.
A house divided against itself cannot stand.
When was the last time you saw a bridge standing up after a willfull, informed, and competent attempt to put it down?
Rethinking email
No, there can't be. I get mod points twice a week... Oh, wait...
One should consider that sanity checks can themselves be security holes. At the very least, you have lots of extra code that can make regular old bugs more difficult to find.
I'd not suggest that ALL sanity checks need to go, but... cutting down the complexity of your code is certainly not a bad idea.
For example, if your sanity check code causes a double free, it may be exploitable on MacOS. (shame on Apple)
As a general rule, the more code the more danger.