Multiple Vulnerabilities In .FLAC File Format and Various Media Applications
November 15, 2007
September 28, 2007
Patch Development Time (In Days): 48
High (Remote Code Execution)
Applications with FLAC Support
eEye Digital Security has discovered 14 vulnerabilities in the processing of FLAC (Free-Lossless Audio Codec) files affecting various applications. Processing a malicious FLAC file within a vulnerable application could result in the execution of arbitrary code at the privileges of the application or the current user (depending on OS).
The vulnerabilities in the .FLAC format are due to improperly handling metadata values from malformed files. The file format is available here: http://flac.sourceforge.net/format.html
LMCE generates its own FLAC files (eg by ripping CDs when FLAC is the specified archive format), so the risk to LMCE is minimal, unless users import FLACs generated by a malicious party. However, leaving a vulnerable executable in the system is still a known risk of unknown probability, which is an unnecessary risk.
This vulnerability report also raises the qustion of how LMCE handles the discovery of bugs like this, and how the development project responds to it. Kubuntu's APT system lets its dependency on Ubuntu automatically upgrade to security fix releases. Are we sure that all LMCE components are in that system? How do we respond to ones that are not?