[flac-dev] Two new CVEs against FLAC

Brian Willoughby brianw at audiobanshee.com
Wed Nov 26 10:33:46 PST 2014


On Nov 26, 2014, at 1:40 AM, Erik de Castro Lopo <mle+la at mega-nerd.com> wrote:
> 
> Brian Willoughby wrote:
> 
>> While we're on the topic, what sort of consequences are there, really,
>> with this vulnerability? Worst case, your player stops playing on a
>> file that cannot be played anyway. Yes, it's bad that you have to
>> power-cycle the player to get it to restart, but it's not like you
>> can be doing anything else at the same time you're playing a bad FLAC.
>> Have I missed something?
> 
> I think you are underestimating what a motivated cracker can do starting
> with a simple heap overflow. See:
> 
>    http://en.wikipedia.org/wiki/Heap_overflow
> 
> Erik

My point was specifically about embedded FLAC running on a device like a player. I should have pointed out that I meant that there is no Linux or other operating system, there is no 'root' account, and there are no other programs running. The only data structures that exist besides the playback engine would be the FAT file system for external storage of recordings.

Besides pure maliciousness, a hacker has nothing to gain by creating a bad FLAC that will cause a player to crash.

Brian



More information about the flac-dev mailing list