Multiple FLAC Vulnerabilities Affect Every OS

Enon writes "eEye Digital Security has discovered 14 vulnerabilities in the FLAC file format that affect a huge range of media players on every supported operating system (Windows, Mac OS, Linux, Unix, BSD, Solaris, and even some hardware players are vulnerable). Heise points out a number of vulnerable apps that use the open source libavcodec audio codec library, which in turn relies on the flawed libFLAC library. These vulnerabilities could allow a person of ill will to trojanize FLAC files that could compromise your computer if they are played on a vulnerable media player. eEye worked with US-CERT to notify vulnerable vendors."

Sanity checks:

[andreyvul]

Perform them.

guard pages, bit masks, and so on: better

[r00t]

Lots of people screw up the sanity checks. C has some interesting properties that people struggle with: signed+unsigned promotes to unsigned, and the compiler is allowed to generate code which assumes that signed wrap-around will never happen. Plus people just plain screw up. I'll bet the FLAC code even had sanity checks, just not correct ones.

Sanity checks are also low-performance.

Suppose you want a 1 MB buffer. Allocate that, plus 2 pages, plus another page if your allocator doesn't give you page alignment. (mmap does, malloc does not -- you should use mmap to be 100% legit here) Round up to a page if you used malloc. Make that page unreadable via the mprotect call. The next page will start your 1 MB buffer. After the end of that buffer is one more page that you also make unreadable. Now you're safe from regular overflows in that buffer.

You still risk jumping out of the buffer when you add a potentially big offset. Here, you use the mask. Take an offset into the buffer, add/subtract the untrusted data, mask with 0xfffff for 1 MB, and now you have a fresh new offset that will be within the buffer.

Regular overflows will hit the unreadable page. If you do nothing extra, the result is a safe crash. You might use the fork call to create a child process that you don't mind losing. Alternately, you can use sigsetjmp and siglongjmp to handle the situation. Set up a signal handler for signal 11 that will call siglongjmp. Call sigsetjmp prior to entering the code which handles untrusted data. If the code takes the exception path (signal and siglongjmp), then you know the untrusted data was bad. (for extra points, verify that the guard page was hit and call _exit if not -- see the sigaction documentation for how to get this info)

Re:

[pclminion]

None of what you just described counts as a "sanity check." It's more like putting an immensely complicated band-aid on the problem so that when things do explode they explode in a predictable way. This can be a good thing in certain fields. If failure of your software might cause somebody's death, then yes, you want complete assurance that things cannot silently go wrong. But failing that, this is nothing but a poor substitute for good coding practice.

If you have so much doubt in your own code, why do yo

the whole point: it's NOT sanity checking

[r00t]

It's well-known that people tend to botch sanity checking. Thus, we should seek alternatives.

My solution is far less complicated in total. Yeah, setting up a guard page isn't taught in Programming for Dummies. It's not a lot of code though, it's easy to test, and it's damn reliable.

People who write secure code try to avoid having to trust themselves to get everything right. People who write insecure code think that somehow, despite decades of failure, they'll get it all right. Look ma, no bugs! Sure...

Re:the whole point: it's NOT sanity checking

[r00t]

Heh.

Studies show that nearly everybody thinks he is a better-than-average driver.

Kind of the same problem, no? Maybe this is why we require safety equipment.

Re:

[MrMr]

Not really, that would be true for 'better than median'.
When only a minority of people is responsible for traffic accidents, the majority is indeed better than average.
'nearly everybody' may be completely right about being a better than average driver...

Re:

[heinousjay]

With an analogy that overwrought, it's pretty obvious you're just being a bitch. I'll correct it for you:

It's like wearing a seat belt because you have no control over what other drivers will do.

There, possibly the finest car related analogy on Slashdot ever.

Re:

[sowth]

Aren't we prideful. Do you work for Microsoft or something? Everyone makes mistakes. In the real world, you should program in as many sanity checks as you can. Over compensating for potential problems will usually lead to more secure and stable programs, or at the very least make it fail in a less catastrophic way.

Expecting sanity checks to be done elsewhere and not covering your ass leads to absurdly buggy programs and security compromises, which is happening all too often in so called "professonal" soft

Re:guard pages, bit masks, and so on: better

[sowth]

I didn't say you claimed sanity checks weren't needed at all. I said this guy's proposal was a valid thing to add to a program and anything to make sure your program doesn't die by covering multiple bases is a good thing. You do realize all programmers make mistakes, don't you? Good programmers try to minimize the effects of those mistakes.

Was he really saying to do that instead of sanity checks? I didn't see anywhere in his post where he explicitly said to do the "guard page" trick and not ever do any other sanity checks. The way he started off by saying how people get sanity checks wrong, it seems to me he was saying you should do that in addition to normal sanity checks, so if you really screw them up, you will still have some protection... Then again, maybe he was just trying to offer a more simple and efficient solution for those who can't get it right or are worried about wasting CPU cycles.

At any rate, the "guard page" trick coupled with the bitmasking certainly looks like it would be difficult or impossible to write outside the buffer, unless there is some sort of exploit I didn't see. Unlikely since I am quite familiar with assembly language and binary operations. It looked easy and foolproof to me--assuming no one makes a typo or other mistake, but other sanity checks are just as vulnerable to those problems. Just read the strlcpy paper written by Todd C. Miller and Theo De Raadt. Here is a relevant excerpt:

There are several problems encountered when strncpy() and strncat() are used as safe versions of strcpy() and strcat(). Both functions deal with NUL-termination and the length parameter in different and non-intuitive ways that confuse even experienced programmers. They also provide no easy way to detect when truncation occurs. Finally,strncpy() zero-fills the remainder of the destination string, incurring a performance penalty. Of all these issues, the confusion caused by the length parameters and the related issue of NUL-termination are most important. When we audited the OpenBSD source tree for potential security holes we found rampant misuse of strncpy() and strncat(). While not all of these resulted in exploitable security holes, they made it clear that the rules for using strncpy() and strncat() in safe string operations are widely misunderstood.

It is difficult to write functions which prevent security flaws. The trick r00t proposed sounds as good as any. You may not catch many bugs with binary masking, but then that is what a debugger and assert() are for.

Your comments about it being "complicated" and a "complex plan" suggest to me you know nothing about boolean algebra or low level programming. Maybe you should learn a bit more before you write inflammatory comments.

sanity checks can be exploitable

[r00t]

One should consider that sanity checks can themselves be security holes. At the very least, you have lots of extra code that can make regular old bugs more difficult to find.

I'd not suggest that ALL sanity checks need to go, but... cutting down the complexity of your code is certainly not a bad idea.

For example, if your sanity check code causes a double free, it may be exploitable on MacOS. (shame on Apple)

As a general rule, the more code the more danger.

Re:

[pclminion]

sanity checks have to go at each point writing to the buffer.

Answer 1: Yeah, writing good software requires effort.

Answer 2: Centralize the code which accesses the buffer, and put sanity checks there. Then just call this code. I know this "structured programming" concept is pretty bleeding-edge stuff, being only 40 years or so old, but hey. Sometimes you just gotta learn something new.

Re:

[r00t]

No!

1. It is trivial to crack a CRC. That is not a crypto checksum.

2. Probably you get exploited before you get a chance to check. This depends on overflow severity, OS, etc.

There is a fix. You mask everything, not just when adding arbitrary untrusted offsets. This sucks.

Re:guard pages, bit masks, and so on: better

[r00t]

The big thing is reliability. You have less to screw up.

But yes, it is faster.

The guard pages are essentially free. They have a minor one-time start-up cost, like doing a memory allocation. As long as you keep reusing that buffer, you don't have any extra overhead.

Bit masking is a very cheap math operation. It does not need to involve the branch predictor. There is no "else" code to bloat things up and even contain more bugs; the mask simply forces the data to be good. (well, "good" as in "good enough for security" -- it won't turn an attempted buffer overflow exploit into beautiful music!)

BTW, some Linux kernels also provide a "seccomp" mechanism. It's a severe sandbox, limiting you to about 4 system calls. If you can make your code tolerate that, remembering to close any unneeded file descriptors before you switch it on, you'll be damn secure.

Re:A lot of these are app flaws, not flac flaws ..

[QuantumG]

it's a bunch of bugs in the libFLAC that is used in a heck of a lot of apps.

Its an example of a particular implementation becoming the standard. They might as well not even have a file format specification.

Re:

[QuantumG]

God, is this like the retard thread on Slashdot now?

The code [sourceforge.net] has been fixed. Yes, there really were security bugs in the libFLAC library. Shocking isn't it? Software had bugs in it! People found those bugs! People fixed those bugs!

Re:

[QuantumG]

1. Linux security has been going down since about 2001 (who doesn't have a personal kernel exploit they haven't told Linus?)
2. I hardly think libFLAC counts as an "essential Linux library".

root listens to audio?

[Gothmolly]

How often does root listen to audio, esp. considering the new and improved root-like access Ubuntu and Fedora have set up?

Oh, you mean that a USER could compromise THEIR PERSONAL FILES... well, that does suck, but you have backups, right?

Re:root listens to audio?

[springbox]

root listens to audio?

Yes. Windows.

Re:root listens to audio?

[gnuman99]

root listens to audio?

Yes. Windows.

No. Vista.

And no you will not get one of them "You want to proceed with blah?" windows because an exploit will not have a manifest. It is difficult to get Vista hosed by malware compared to XP.

Re:

[definate]

It seems you're writing a pro Vista comment...

We don' like yo' type 'roun' 'ere, yew best keep moving.

Man, I hope I got my punctuation of the accent correct, or I am going to get reamed by Grammar Nazi's.

OT Vista security

[pedestrian crossing]

No. Vista.

Yes. Windows.

root listens to audio?

Vista has some security improvements if Vista is used correctly, but MS still missed the boat in a big way.

The fundamental problem is people running under an admin account. Vista does not solve this basic problem.

When you install Vista (or run for the first time), it guides you through creating an account. If you actually read the dialog (hint: most people won't), it tells you that this first account is an admin account. The problem is that for most folks

Re:

[CastrTroy]

Why even have an admin account? On the Mac Mini we have at work, root was disabled by default. With many Linux boxes, you create a root password, but never login as root, and if you try, you will get dire warnings about how bad of an idea it is. Most Linux boxes rely on sudo to get most of the administrative actions done, with some being left to su root. There's no reason to even have an admin account that the user can log in to through the GUI. Take away the ability for users to log in as root, and yo

Re:

[pedestrian crossing]

More importantly, most Linux install programs guide the user through making both a root and regular user account as part of the install process.

That's where MS really dropped the ball. Their install wizard doesn't make sure that important step is taken care of.

When they are starting their computer for the first time, typical users just want to start using the system, so if you don't force them to create a regular user account, it's not going to happen.

The release of Vista provided MS with a golden oppo

Re:root listens to audio?

[paulgrant]

or play a video with flac as the audio algorithm.
right.
especially if it plays silence on a transparent pixel.
MAN THIS SUCKS.

Re:

[hdparm]

Hilarious! Thanks for a real good laugh.

Re:root listens to audio?

[QuantumG]

This is an example of the term "failure of imagination."

Someone malicious can craft a .flac file which can execute arbitrary code when it is run on an affected player.

That someone can give that .flac file to someone else who doesn't know it is maliciously crafted and when they play the file, they have given arbitrary code execution privileges to the malicious crafty person.

I thought everyone got that from the description, but there will always be some ignorant fool who can't help but speak up and, here's the great part, there will always be someone who is even more stupid who mods them up.

That's the magic of Slashdot.

Re:

[Gothmolly]

What you just described is a virus, and in fact, has existed nearly as long as computers have. If you don't trust your flac-giving buddy, why take anything he gives you at all? The point is that "flac" cannot compromise your system, only your data. Unless you play the file as root.

Re:

[QuantumG]

1. local exploits
2. see my page on jumping su and sudo [insomnia.org].

I think you misunderstand the post

[empaler]

How does the code get access to anything but the *executing user's* files? It gets the same privileges as the program has been granted by the user/admin, but unless something is really wonky in the system, it does not have an avenue of getting more rights.

Please, instead of assuming that you have parsed other people's thoughts correctly and hastily call them ignorant fools, try to see it from their side. It adds nothing positive to a debate.

Re:

[QuantumG]

no-one said it did.

Someone getting the ability to run arbitrary code on your machine is a security issue..

Re:

[Goaway]

So what exactly is that that you think malware wants to do that it can do as root but not as a user?

Re:

[Erpo]

• nmap -sS
  
• insmod rootkit.ko
  
• rm -rf /home/roommate
  

...just off the top of my head.

don't need root for a rootkit

[r00t]

echo "export LD_PRELOAD=/home/you/rootkit.so" >> /home/you/.bashrc
echo "export LD_PRELOAD=/home/you/rootkit.so" >> /home/you/.bash_profile

From there, all your processes contain rootkit.so as a library. It can replace functions in the C library. Your editor won't open /home/you/.bashrc when you ask it to; it will instead open a different file.

You're so pwn3d.

You'd be safe if you had Bitfrost, like the OLPC XO does. There, apps don't get to mess with your files except

Re:don't need root for a rootkit

[r00t]

That code gets injected into your xterm, gnome-terminal, konsole, eterm, screen, emacs, etc.

You'd better not ever do "su" or "sudo" from a shell in any of them. You wouldn't do that, would you?

Do you know what an "input method" is? It's a lovely way to play with your keystrokes, no matter what the app. It's normally used to enter things like Chinese characters... and to pwn you.

BTW, getting into your account is one step closer. Now the attacker is not only inside your firewall, but able to attack setuid binaries and the kernel itself. Any bugs just got exposed. At this point, a local exploit is as good as a remote exploit.

Not that any of this matters. A typical attacker wants your private data, your IP address, and your network bandwidth. Maybe they want your disk space too. Really, they don't need root. That's just for bragging rights.

Re:don't need root for a rootkit

[ookaze]

That code gets injected into your xterm, gnome-terminal, konsole, eterm, screen, emacs, etc.

No it doesn't !!! At least as long as you don't launch any xterm from your gnome-terminal/konsole/eterm/whatever.
This little trick would change whatever apps you use that is launched from your shell session, which is just unlikely.
But wait, there's more ...

You'd better not ever do "su" or "sudo" from a shell in any of them. You wouldn't do that, would you?

This is even more nonsense, as your little trick just won't work on a glibc drived system, meaning nearly every Linux OS out there.
This was fixed like more than 4 years ago !! Your LD_PRELOAD, containing slashes, will just not work at all and be rejected for suid binaries like su or sudo.
And if you don't put slashes, the library will be searched in the trusted paths put in your ld.so.conf.
So sorry to destroy your scary FUD. Not to say a rootkit is not possible, but it requires more than a vulnerability fixed years ago.

Do you know what an "input method" is? It's a lovely way to play with your keystrokes, no matter what the app. It's normally used to enter things like Chinese characters... and to pwn you.

Except this is not launched from a bash session... at all. This is launched by your desktop environment, itself launched from a desktop manager, itself suid and not launched from your bash session. Just wow at your failed pwn methods though!

BTW, getting into your account is one step closer. Now the attacker is not only inside your firewall, but able to attack setuid binaries and the kernel itself.

Just no, you're plain wrong. Kernel is safe as long as you're not root, and setuid binaries are safe too. You have to have an exploit on one of them, and no, LD_PRELOAD is not one.

Any bugs just got exposed. At this point, a local exploit is as good as a remote exploit.

Well, I kind of agree, though it's not as simple as you make it out.

Re:

[r00t]

No it doesn't !!! At least as long as you don't launch any xterm from your gnome-terminal/konsole/eterm/whatever.
This little trick would change whatever apps you use that is launched from your shell session, which is just unlikely.

That's a very minor detail. First of all, I can just hit your desktop menu files instead. I can hit .xsessionrc or .xinitrc instead. Second of all, your desktop environment most likely USES THE SHELL to start things, and it is likely that at least some of the shell's files (not all) will still be used.

This was fixed like more than 4 years ago !! Your LD_PRELOAD, containing slashes, will just not work at all and be rejected for suid binaries like su or sudo.

No, I don't mean injecting into su or sudo. I mean injecting into the terminal program. As part of the push for security, the setuid bit has been removed from many of these programs... eliminating the LD_PRE

Re:

[LizardKing]

I suppose I better expand on my "sudo is a waste of time" comment.

Sudo is generally configured out of the box to allow root access, making it little more than an alias for su. Actually configuring sudo to allow limited access to certain commands is fiddly, and often misses things (try running a root /bin/sh from sudo - works almost every time). Sudo is also a poor alternative to ACLs, or just setting up groups to control access to certain device files (which is often what a presumed need for sudo boils do

right, I have backups...

[r00t]

of my private keys, finance data, NDA-protected stuff, etc.

No problem?

Heck, the attacker will be making extra backups! For free!

Re:

[pclminion]

Oh, you mean that a USER could compromise THEIR PERSONAL FILES... well, that does suck, but you have backups, right?

"That hacker stole all my steamy emails between me and my mistress and threatened to tell my wife unless I pay him $10,000! Thank God at least I have backups!"

Re:root listens to audio?

[a_nonamiss]

OK, this is Slashdot. Nobody here here has a wife let alone a mistress

You are right about the backups, though...

Re:

[xouumalperxe]

Because, of course, privilege escalation bugs have never EVER cropped up.

But that's merely a technical argument in an area where psychology reigns supreme. And the moment you assume the attitude of "It's not worth giving a damn because careful users won't have issues", you already lost that game.

Re:

[Tweekster]

regardless of OS you are and idiot if you are not backing things up.

Re:

[timeOday]

Either way you still need computer security. Backups aren't going to save you when a keylogger sends your credit card # to Russia.

Re:

[node 3]

"Idiocy" is not the thing that keeps the vast majority of computer users from backing up their files. If your goal is to get people to back up their data, calling them "idiots" is not going to help you with that goal.

If, on the other hand, your goal is to state what everybody already knows, but in off-putting terms, without any reasonable expectation of effecting change for the better, then consider yourself "mission accomplished." Keep up the good work!

Re:

[MightyYar]

Now, now. Some of us are just lazy :)

Re:

[Dare nMc]

you are and idiot if you are not backing things up.

you are an idiot, if you spend more time backing up your files than it took to get/replace them.

Actually in a purely economic sense,

TimeToBackup*chance of failure ~= time to recover without THIS backup.
of course you must add in the economics, but backups generally cost significantly less in actuall $ than in time.

this is why smaller organizations only backup securely (off site...) no more than monthly... If I only get one failure every 5 years, and it take

I bet someone will cop some flack for this..

[QuantumG]

HAW HAW HAW.

Old McDonald Had a Farm

[Lachryma]

eEye worked with US-CERT to notify vulnerable vendors.

If this happened over email, one could consider it eEye e-I/O.

Jailbreak!!

[evw]

Possibly another way to jailbreak your iPhone or install Linux on your iPod.

Re:

[Winckle]

Apple doesn't support FLAC, they want people to use the Apple lossless codec. Which annoys me tbh, there's no technical reason why they can't play both.

Re:

[empaler]

I installed this but never really use iTunes for anything except syncing my Audio books to my iPod, but here:
Xiph.Org QuickTime Components [xiph.org]. Should do the trick.
HTH :)

Re:

[tuffy]

FLAC decoding is purely integer-based. In addition, it is one of the least CPU intensive lossless audio codecs available in terms of decoding. Any iPod has enough power to decode them. Apple has simply chosen not to support it.

Re:

[QRDeNameland]

FLAC is designed for low-power decoding...from what I've seen it is comparable to mp3 in terms of processing for decoding. It also entirely integer-based, a feature touted as superior for both portability and performance.

Re:

[despisethesun]

I think that says more about iPod Linux than the iPod. As far as I know, iPod Rockbox users have no problems with ogg or flac files. If only Rockbox got half-decent battery life, it would be the perfect replacement for Apple's firmware. As it stands, it's a reasonable substitute if one is willing to make a few compromises.

Re:

[Fweeky]

If only Rockbox got half-decent battery life, it would be the perfect replacement for Apple's firmware

Erm, it's pretty half-decent right now. From an old commit message:

"6 Aug 17:26 - Jens Arnold - firmware/target/arm/system-pp5002.c - Reduced battery consumption on PP5002 targets (iPod 1st/2nd gen and 3rd gen). Now rockbox battery runtime is better than OF, verified on 2nd gen :-)"

Even on targets where it's not quite so optimized, it's typically reasonably comparable.

The best thing about these vulnerabilities

[Anonymous Coward]

Is that they're still lossless.

losslessly compressed

[Romancer]

Maybe I don't fully understand compression theory and this may very well be off topic, but this doesn't sound possible:

"losslessly compressed" audio file format.

Can someone explain how this compares to the original recording?
And am I confusing the analog to digital information loss with the compression (loss) part?

Re:

[Locklin]

http://en.wikipedia.org/wiki/Flac [wikipedia.org]

Free Lossless Audio Codec (FLAC) is a file format for audio data compression. Being a lossless compression format, FLAC does not remove information from the audio stream, as lossy compression formats such as MP3, AAC, and Vorbis do. Like other methods of compression, FLAC's main advantage is the reduction of bandwidth or storage requirements, but without sacrificing the integrity of the audio source. For example, a digital recording (such as a CD) encoded to FLAC can be decompressed into an identical copy of the audio data. Audio sources encoded to FLAC are typically reduced in size 40 to 50 percent. (53% according to their own comparison)

It's like a zip/bzip/gzip file, once uncompressed, it's binary equal.

Re:losslessly compressed

[CastrTroy]

It's kind of like running winzip on your wav files. All the data is there, but it fits in a smaller space. Of course, they don't use winzip's compression algorithms because that's really bad at compressing audio. They have special algorithms that are much better at recognizing patterns in wav files. I'm not completely sure how it works, but that's my understanding of it, and the easiest I can explain it.

Re:

[Phlegethon_River]

Just think about "ziping" a text file. It is smaller than the original file ("compressed") yet when you "unzip" it ALL of the information is still there ("lossless").

FLAC and SHN (shorten) are basically fancy ways of "ziping" a file of audio. So, they are effectively the same thing as the original WAV (what is on the CD).

This of course leaves out any discussion on digital v. analog audio quality, but that is beside the point.

Yes, I over-over-simplified. But it gets the point across.

Re:

[tuffy]

Lossless audio compression means that any PCM data fed to it can be restored later, without loss of any kind. The amount of compression varies depending on the PCM data itself. Any loss incurred before getting that PCM stream (such as sampling the original analog audio) can't be helped. It's not magic, after all.

Re:losslessly compressed

[recoiledsnake]

If you rip a Audio CD to MP3,AAC,WMA or OGG that is lossy compression. There is no way of getting the original data back. If you compress it with FLAC, you can get the exact bits present on the original Audio CD. Note that we are talking about only digital conversions. How the CD was mastered from the analog source is a complete different matter and has nothing to do with FLAC.

Re:

[wizardforce]

look up lossless compression on Wikipedia, it explians it quite nicely.
http://en.wikipedia.org/wiki/Lossless_data_compression [wikipedia.org]

Re:

[belmolis]

A simple way to get an intuitive understanding of why lossless audio compression is possible is to display an audio waveform at a resolution high enough that you can see individual samples. You will notice that adjacent samples are close to each other - the signal doesn't change very rapidly. That's due to the physical nature of music and speech and it is a way in which such signals differ from arbitrary signals. If you display white noise, for example, it won't have this property - samples not very far ap

Re:

[BlueParrot]

To use an analogy, if all your images consist of a doussin lines, then storing them as an XML encoded list of lines will occupy a lot less space than using a 1280x1024 bitmap. However, if you try to use the same XML format to store images of grainy materials, like sand, concrete etc... then you will end up storing a complicated list of lines for every single point, leading to a much larger files than if you had just used a bitmap.

Lossless compression works by identifying common features of a particular type

Fixed in Ubuntu

[coolhelperguy]

If you're using Ubuntu, the latest security updates should have fixed this already (for a few days, I believe). The Ubuntu security team has USN-540-1 [ubuntu.com] as a notification. It looks like it's an issue in Ubuntu 6.06 LTS, Ubuntu 6.10, Ubuntu 7.04, and Ubuntu 7.10 (at least), and their respective Kubuntu/Edubuntu/Xubuntu releases.

All you really need to update looks to be libflac7 or libflac8, whichever exists on your system (8 is only for Gutsy, aka 7.10), though it's probably a good idea to update all the security updates anyway.

Phew

[Frogbert]

Good thing no one uses this esoteric "FLAC" format.

Those security tell me to get the FLAC out of here

[syousef]

I thought they were just being rude. Now I know why.

libavcodec is not affected, Heise is wrong

[unixmaster]

libavcodec never ever used libFLAC, it has its own FLAC encoding & decoding code, hence not affected. Lousy journalism on Heise part.

Some things in life, money can't buy...

[Mr2001]

Subscription to Stereophile magazine: $10.

Additional hard drive to store your lossless music collection: $200.

Portable audio player that supports FLAC: $300.

High-end headphones and speakers necessary to hear the difference between MP3/AAC and FLAC: $1000.

Gold shielded power, speaker, and headphone cables to avoid picking up noise that masks the differences between MP3/AAC and FLAC: $2000.

Watching all that equipment turn into one big zombie spambot as soon as you press "play": priceless.

Re:

[the eric conspiracy]

Additional hard drive to store your lossless music collection: $200.

More like $100.

Portable audio player that supports FLAC: $300.

I don't mess with these. There are no portable players in production that meet my needs. The only one close are the iRivers with SPDIF, and the models I would be interested in are not in production any more.

High-end headphones and speakers necessary to hear the difference between MP3/AAC and FLAC: $1000.

I was able to hear a big difference on a pair of $69 headphones and $20 sound

Re:

[MostAwesomeDude]

5th generation iPods can be flashed with Rockbox or iPodLinux, both of which have FLAC support. Also USB sound cards are $40 and usually don't sound better than the cards bundled with most laptops, while also being slower than onboard chips. Finally, $200 will get you 750GB, which is adequate for music, assuming, of course, that you are storing lossless. Please "do a bit of research before spouting off."

Re:

[the eric conspiracy]

5th generation iPods can be flashed with Rockbox or iPodLinux, both of which have FLAC support.

5th gen (or any other) iPods have crappy DACs and poor amps. FLAC support is irrelevant for them.

Also USB sound cards are $40 and usually don't sound better than the cards bundled with most laptops, while also being slower than onboard chips.

USB sound cards that cost $40 don't sound better than the laptop sound cards because they have the same crappy amps and DACs as the laptop sound card. Get a $250 USB sound car

Re:

[AikonMGB]

I am not myself an audiophile (though I do exhibit some audiophile tendencies); I thought the idea behind using gold-plated connectors was not that they sounded better, but because they stayed sounding the same for longer due to not corroding?

Aikon-

Thank you eEye and Devs

[awfar]

A sincere Thank You for your efforts, identifying the issue and alerting the Devs, and correcting the problem.

This is the way things were meant to work, as so eloquently put elsewhere.

In Files?

[pete-classic]

The summary inherited the lousy description in the title of the article.

I see nothing to indicate that these vulnerabilities are in FLAC files. They seem to be in the reference implementation of the decoder. An exploit would be in FLAC files.

Come on, guys! You're running a Geek website here!

-Peter

Re:

[bmo]

Just because I have karma to burn and I don't care...

Performant is not a word.

Efficient is a word.

Making up jargon to sound erudite actually makes you sound stupid.

Thank you and have a nice day.

--
BMO

Re:

[Crypto Gnome]

Making up jargon to sound erudite actually makes you sound stupid.

Personally I'd have said makes you sound like you are a journalist.

Someone please MOD this comment -1 redundant ;-)

Re:

[coolGuyZak]

Making up jargon to sound erudite actually makes you sound stupid.

Awesome. I only make up jargon to sound baztastic.

Re:

[hdparm]

It's pretty interesting in this context, though.

Performant code for audio libraries. I love it!

Worst possible choice.

[SanityInAnarchy]

Well, except C.

Try Haskell, Erlang, Common Lisp, Smalltalk, even Java.

I'm not incredibly worried, though -- most of my FLAC files are converted WAVs or CDs.

Re:

[Bill, Shooter of Bul]

because its fast as heckfire. Much much faster than ML or haskell. Its often faster than c. Although, I'd agree about the syntax. It has many small problems that really stand in the way of mass adoption. Modern Fortran is also pretty cool ( good by karma) its also fast and has some parallel features. I'd just like any of the functional languages to take off. Ocamel looks tempting because of the performance.

Its a chicken and the egg with languages like this. If they don't solve one task much better than a

Re:But I thought that this didn't happen with FOSS

[Locklin]

Not that I like feeding trolls, but wake up, no one here think's FLOSS == perfect security, that's why both my Ubuntu and Fedora machine get software updates on a regular basis. The primary difference between FLOSS and proprietary security is transparency: do you know how many ten year old bugs are sitting in Windows or IE which Microsoft refuses to fix? Unless you work for them, you likely don't have a clue.

Re:

[dedazo]

no one here think's FLOSS == perfect security

I disagree. There are certainly people here with that type of attitude. Whether they actually believe it or not, who knows. But the various degrees of "this would never happen if you were using free software" or "LOLOL download the patch, it's at www.ubuntu.com" are certainly prevalent.

BTW, that "how do you know Microsoft didn't do X or Y" is rarely productive - unless you have a habit of manually auditing every line of code that goes into your favorite Linux

Re:

[stevenvi]

The difference between this and a closed-source product is that now that the holes have been discovered, anybody can fix them. It's not going to be me, however, as I am far too lazy.

Re:But I thought that this didn't happen with FOSS

[Crypto Gnome]

Firstly...

libFLAC version 1.2.1 was released in September, 2007, fixing these vulnerabilities for most vulnerable applications.

Secondly...

this isn't supposed to happen with FOSS

Actually exactly this IS supposed to happen with FOSS.

Where this is .... someone other than the original developer(s) read through the original source code in order to identify vulnerabilities, and then provided information about said vulnerabilities back to the original developer(s) who promptly resolved the aforementioned vulnerabilities, with many thanks"

Re:

[hcmtnbiker]

How do you know that the security auditors identified the vulnerability by looking at the source? I think it's completely possible this was done by fuzzing, just as a lot of the proprietary MP3 codec vulnerabilities have been found.

Re:

[SanityInAnarchy]

So this is really ironic - Its my understating from reading hundreds and hundreds of /. posts that this isn't supposed to happen with FOSS. Only Micro$oft developers are supposed to have security bugs like this.

The assumption is that everyone -- or at least everyone stupid enough to program in C/C++, which is, really, everyone -- has some security bugs. The difference is, Microsoft may refuse to fix the bug, or refuse to acknowledge it's a bug (see Vista's performance issues), or even threaten to sue you i

Re:But I thought that this didn't happen with FOSS

[BlueParrot]

So this is really ironic - Its my understating from reading hundreds and hundreds of /. posts that this isn't supposed to happen with FOSS. Only Micro$oft developers are supposed to have security bugs like this.

You misunderstood. Where FLOSS differs from microsoft is:

a)This bug was discovered by third parties because they had access to the source
b)The bug is already fixed
c)Even on still vulnerable systems it wouldn't give you root access
d)It would have to rely on special plugins or user action
e)The problem is clearly described and documented allowing users to take precautions

Compare this to a vaguely described bug in your rendering engine for animated cursors enabling arbitrary webpages to compromise kernel space, and this not being fixed for days or even weeks despite documented exploits in the wild.

Somehow I don't see the irony.

Re:

[totally bogus dude]

If that really is your understanding, then you could benefit from either spending a bit of time improving your comprehension skills, or paying less attention to the trolls.

The difference between the development models and philosophies usually becomes apparent when the flaws are discovered. How long will it take for the libFLAC flaws to be fixed? How does this compare to closed-source applications with similar flaws? How long will it take for companies using libFLAC within their proprietary players take to

Re:

[grcumb]

Now, how did this ship? Who tested it? Who did the code reviews? Who did the security reviews? Who did all the threat modeling?

I'm sure you'll find the answers to these questions, as well as the make-up of the team, the changelog, access to CVS, and links to the development mailing list on the FLAC Project page [sourceforge.net]. If you weren't being facetious, that is.

The point behind FOSS - which you seem to have deliberately misconstrued - is openness, not perfection. While it can be argued that FOSS development proce

Re:

[Tribbin]

From your post I suggest you are throwing a party tonight to celebrate this event?

You make this sound like a once-in-a-lifetime oppertunity.

Re:

[Almahtar]

So this is really ironic - Its my understating from reading hundreds and hundreds of /. posts that this isn't supposed to happen with FOSS.

Then you misunderstood.

Who did the code reviews?

eEye Digital Security.

Who did the security reviews?

eEye Digital Security.

Who did all the threat modeling?

I'll give you three guesses.

The security impact of open source software is not that it has less bugs, but that they get found because people can analyze the source. Read this article and you'll see that's exactly what happened. It's good news.

You will have bugs in your software, and they will be found. The difference is are they found by 'good guys' that will warn you and help you fix it or are they found by 'bad guys' that root your

Re:

[pclminion]

How are you going to patch embedded devices that have hardware vulnerabilities?

What the hell does this argument have to do with Open Source? I'm sorry, was there some memo I missed that explains how embedded closed source software is easier to update than embedded open source software? You want a reasoned debate, how about we exclude the open/closed crap altogether, as it is totally irrelevant?

Having said that, I agree. The "many eyes shallow bugs" argument is absurd. It's like going to a country whe

Re:

[QuantumG]

Having said that, I agree. The "many eyes shallow bugs" argument is absurd. It's like going to a country where the national motto is: "Flurbistan: Who cares about the murder rate, we have a 100% conviction rate!" As if patching bugs quickly is somehow a consolation for people who have been compromised by them. Better idea: Don't release buggy shit in the first place.

Yeah man.. and, by your analogy, stop making murders!!

Idiot.

Re:

[Re-Pawn]

Not to sound trollish - but what imaginary world do you live in? Buggy software is a fact of life for the most part - it is created by humans and we all make mistakes. So, what software do you use that has never had to be updated or had a bug fix?

Re:

[pclminion]

Buggy software is a fact of life for the most part - it is created by humans and we all make mistakes.

When is the last time you were driving and the road just COLLAPSED? The bridge fell down? Your car spontaneously burst into flames? When's the last time you plugged an electrical appliance into a wall and got shocked? Last time your plasma television went nuts and shot laser beams at your cat? When's the last time the case of your box fan failed and the blades went flying through the air, decapitating y

Re:

[marcosdumay]

"When is the last time you were driving and the road just COLLAPSED? The bridge fell down?"

When was the last time you saw a bridge standing up after a willfull, informed, and competent attempt to put it down?

Freedom is valuable in its own right.

[jbn-o]

Software vulnerabilities crop up frequently, it's inherent in complex systems. The question comes to how users are treated and what freedoms they have to help one another and help themselves. With proprietary software, users must wait for the proprietor to supply a fix. All users of proprietary software are trapped in a monopoly. With free software users have the freedom to inspect, share, and modify the software at any time (or get someone else to do this work for them). Users don't have to wait to di

Re:

[Qubit]

The WMV format is "restricted" or, as the FSF terms it, "defective", as a matter of its design. I'd show you some docs, but they're probably not freely available anywhere for me to access them...

There might be buffer overflow bugs in the FLAC reference software, but I don't think that the bugs are there by design.

(I agree that tags like "Micro$oft" probably aren't the most grown-up thing to post, but what would /. be without a little trolling here and there to provide a nice garnish to the stories?)