Multiple FLAC Vulnerabilities Affect Every OS

Multiple FLAC Vulnerabilities Affect Every OS 360

Posted by kdawson on Monday November 19, 2007 @10:05PM from the don't-hit-play dept.

Enon writes "eEye Digital Security has discovered 14 vulnerabilities in the FLAC file format that affect a huge range of media players on every supported operating system (Windows, Mac OS, Linux, Unix, BSD, Solaris, and even some hardware players are vulnerable). Heise points out a number of vulnerable apps that use the open source libavcodec audio codec library, which in turn relies on the flawed libFLAC library. These vulnerabilities could allow a person of ill will to trojanize FLAC files that could compromise your computer if they are played on a vulnerable media player. eEye worked with US-CERT to notify vulnerable vendors."

Multiple FLAC Vulnerabilities Affect Every OS

This discussion has been archived. No new comments can be posted.

Search 360 Comments Log In/Create an Account

Comments Filter:

root listens to audio? (Score:2, Funny)

by Gothmolly ( 148874 ) writes: on Monday November 19, 2007 @10:08PM (#21415585)

How often does root listen to audio, esp. considering the new and improved root-like access Ubuntu and Fedora have set up?

Oh, you mean that a USER could compromise THEIR PERSONAL FILES... well, that does suck, but you have backups, right?

I bet someone will cop some flack for this.. (Score:2, Funny)

by QuantumG ( 50515 ) writes: <qg@biodome.org> on Monday November 19, 2007 @10:08PM (#21415587) Homepage Journal

HAW HAW HAW.

The best thing about these vulnerabilities (Score:2, Funny)

by Anonymous Coward writes: on Monday November 19, 2007 @10:11PM (#21415623)

Is that they're still lossless.

Re:root listens to audio? (Score:4, Funny)

by QuantumG ( 50515 ) writes: <qg@biodome.org> on Monday November 19, 2007 @10:22PM (#21415705) Homepage Journal

This is an example of the term "failure of imagination."

Someone malicious can craft a .flac file which can execute arbitrary code when it is run on an affected player.

That someone can give that .flac file to someone else who doesn't know it is maliciously crafted and when they play the file, they have given arbitrary code execution privileges to the malicious crafty person.

I thought everyone got that from the description, but there will always be some ignorant fool who can't help but speak up and, here's the great part, there will always be someone who is even more stupid who mods them up.

That's the magic of Slashdot.

Re:root listens to audio? (Score:3, Funny)

by Goaway ( 82658 ) writes: on Monday November 19, 2007 @10:23PM (#21415711) Homepage

So what exactly is that that you think malware wants to do that it can do as root but not as a user?

Re:root listens to audio? (Score:1, Funny)

by Anonymous Coward writes: on Monday November 19, 2007 @10:25PM (#21415741)

Audio just doesn't sound the same if it's not run through a process owned by root.

Old McDonald Had a Farm (Score:5, Funny)

by Lachryma ( 949694 ) writes: on Monday November 19, 2007 @10:28PM (#21415765)

eEye worked with US-CERT to notify vulnerable vendors.
If this happened over email, one could consider it eEye e-I/O.

Phew (Score:5, Funny)

by Frogbert ( 589961 ) writes: <{frogbert} {at} {gmail.com}> on Monday November 19, 2007 @10:32PM (#21415807)

Good thing no one uses this esoteric "FLAC" format.

Those security tell me to get the FLAC out of here (Score:3, Funny)

by syousef ( 465911 ) writes: on Monday November 19, 2007 @10:50PM (#21415917) Journal

I thought they were just being rude. Now I know why.

Re:root listens to audio? (Score:5, Funny)

by paulgrant ( 592593 ) writes: on Monday November 19, 2007 @10:52PM (#21415941)

or play a video with flac as the audio algorithm.
right.
especially if it plays silence on a transparent pixel.
MAN THIS SUCKS.

Some things in life, money can't buy... (Score:5, Funny)

by Mr2001 ( 90979 ) writes: on Monday November 19, 2007 @11:05PM (#21416033) Homepage Journal

Subscription to Stereophile magazine: $10.

Additional hard drive to store your lossless music collection: $200.

Portable audio player that supports FLAC: $300.

High-end headphones and speakers necessary to hear the difference between MP3/AAC and FLAC: $1000.

Gold shielded power, speaker, and headphone cables to avoid picking up noise that masks the differences between MP3/AAC and FLAC: $2000.

Watching all that equipment turn into one big zombie spambot as soon as you press "play": priceless.

Re:root listens to audio? (Score:3, Funny)

by Gothmolly ( 148874 ) writes: on Monday November 19, 2007 @11:23PM (#21416159)

What you just described is a virus, and in fact, has existed nearly as long as computers have. If you don't trust your flac-giving buddy, why take anything he gives you at all? The point is that "flac" cannot compromise your system, only your data. Unless you play the file as root.

Re:root listens to audio? (Score:2, Funny)

by definate ( 876684 ) writes: on Tuesday November 20, 2007 @12:28AM (#21416673)

It seems you're writing a pro Vista comment...

We don' like yo' type 'roun' 'ere, yew best keep moving.

Man, I hope I got my punctuation of the accent correct, or I am going to get reamed by Grammar Nazi's.

Re:root listens to audio? (Score:5, Funny)

by a_nonamiss ( 743253 ) writes: on Tuesday November 20, 2007 @12:46AM (#21416753)

OK, this is Slashdot. Nobody here here has a wife let alone a mistress

You are right about the backups, though...

Re:Some things in life, money can't buy... (Score:2, Funny)

by WWWWolf ( 2428 ) writes: <wwwwolf@iki.fi> on Tuesday November 20, 2007 @06:33AM (#21418207) Homepage

True audiophiles do not use FLAC encoding! A FLAC-encoded sound will have to be processed using a complex computational process, which will mean it will travel through very, very many transistors in the CPU before it hits the DAC on sound card, thus causing noticeable and very jarring latency in the sound. Even uncompressed files have headers which might affect seek performance. No, true audiophiles use raw sound data - indeed, raw sound files also save disk space, because they don't have headers.

Re:Another idiot gets modded up (Score:2, Funny)

by silent_artichoke ( 973182 ) writes: <mike AT mikeandebony DOT com> on Tuesday November 20, 2007 @09:33AM (#21419323) Homepage

No, there can't be. I get mod points twice a week... Oh, wait...

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Multiple FLAC Vulnerabilities Affect Every OS 360

Multiple FLAC Vulnerabilities Affect Every OS More Login

Multiple FLAC Vulnerabilities Affect Every OS

root listens to audio? (Score:2, Funny)

I bet someone will cop some flack for this.. (Score:2, Funny)

The best thing about these vulnerabilities (Score:2, Funny)

Re:root listens to audio? (Score:4, Funny)

Re:root listens to audio? (Score:3, Funny)

Re:root listens to audio? (Score:1, Funny)

Old McDonald Had a Farm (Score:5, Funny)

Phew (Score:5, Funny)

Those security tell me to get the FLAC out of here (Score:3, Funny)

Re:root listens to audio? (Score:5, Funny)

Some things in life, money can't buy... (Score:5, Funny)

Re:root listens to audio? (Score:3, Funny)

Re:root listens to audio? (Score:2, Funny)

Re:root listens to audio? (Score:5, Funny)

Re:Some things in life, money can't buy... (Score:2, Funny)

Re:Another idiot gets modded up (Score:2, Funny)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot