PDA

View Full Version : Multiple Vulnerabilities In .FLAC File Format and Various Media Applications


sjmike
2007-11-20, 11:34 AM
That there are multiple critical vulnerabilities in the Free Lossless Audio Codec (FLAC) library has been known since September. However, until now no mention has been made concerning which products use the library and are potentially vulnerable. US-CERT has rectified this omission in an advisory that incudes a list of affected products. The list includes Cog, dBpoweramp, Foobar2000, jetAudio, PhatBox and Yahoo products (probably the Yahoo! Music Jukebox). In Winamp, the vulnerability has been fixed since version 5.5, in libFLAC since version 1.2.1.

Security services provider eEye has released an overview of all 14 known vulnerabilities in libFLAC parsers in a new security advisory. Almost all of these are due to buffer overflows. Many can be exploited to inject and execute code using crafted meta data in FLAC files. As well as the products named, players based upon the open source libavcodec audio codec library also can be affected by the vulnerability. They can be linked against libFLAC for FLAC support. These include MPlayer, VLC Media Player, GStreamer, ffdshow, xmms and xine.

Until updates are made available, users should only play FLAC files from trusted sources. To date, however, FLAC files are rarely seen in the wild. US rapper Saul Williams is one of the few artists who does offer a losslessly compressed version of his latest album "The Inevitable Rise and Liberation of NiggyTardust!" in FLAC format as a download.

See also:
http://www.securityfocus.com/archive/1/483765/30/0/threaded

Five
2007-11-20, 03:38 PM
vulnerabilities have been fixed for some time now. update flac if you need to

libFLAC version 1.2.1 was released in September, 2007, fixing these vulnerabilities for most vulnerable applications. Unfortunately, many vendors that were using libFLAC within their media applications or using their own homegrown FLAC file parsers had not been informed that their FLAC file parser was vulnerable. Because of that, the release of this advisory was postponed until all vulnerable vendors were contacted in coordination with US-CERT.
http://research.eeye.com/html/advisories/published/AD20071115.html

Kush
2007-11-20, 09:53 PM
Is the current version of TLH free of these .flac vulnerabilities? I love the convenience of a single program for all trader-related stuff.