Numerous media players affected by vulnerability in audio codec [Update]
That there are multiple critical vulnerabilities in the Free Lossless Audio Codec (FLAC) library has been known since September. However, until now no mention has been made concerning which products use the library and are potentially vulnerable. US-CERT has rectified this omission in an advisory that incudes a list of affected products. The list includes Cog, dBpoweramp, Foobar2000, jetAudio, PhatBox and Yahoo products (probably the Yahoo! Music Jukebox). In Winamp, the vulnerability has been fixed since version 5.5, in libFLAC since version 1.2.1.
Security services provider eEye has released an overview of all 14 known vulnerabilities in libFLAC parsers in a new security advisory. Almost all of these are due to buffer overflows. Many can be exploited to inject and execute code using crafted meta data in FLAC files. [Update]Players like MPlayer, VLC Media Player, GStreamer, ffdshow, xmms and xine can also be affected by the vulnerability if they are linked against libFLAC for FLAC support. Usually these players are linked against libavcodec which is not affected by the vulnerability[/Update].
Until updates are made available, users should only play FLAC files from trusted sources. To date, however, FLAC files are rarely seen in the wild. US rapper Saul Williams is one of the few artists who does offer a losslessly compressed version of his latest album "The Inevitable Rise and Liberation of NiggyTardust!" in FLAC format as a download.
- libFLAC contains multiple vulnerabilities, security advisory from US-CERT
- Multiple Vulnerabilities In .FLAC File Format and Various Media Applications, security advisory from eEye