Numerous critical vulnerabilities for the FLAC file format (.flac), identified by eEye, including fourteen arbitrary code execution opportunities at various levels (OS dependent).

Despite being patched against in September (libFLAC 1.2.1), eEye have published this information due to the number of applications that have not updated to this latest library.

Description:

eEye Digital Security have published an advisory detailing numerous critical vulnerabilities affecting the FLAC (Free-Lossless Audio Codec) file format (.flac).

Despite being patched against in September (libFLAC 1.2.1), eEye have published this information due to the number of applications that have not updated to this latest library.

Mitigation:

Update to the latest version of affected software that is using FLAC. If the option exists, confirm that software is built against libFLAC 1.2.1, or later.

Updates:

http://flac.sourceforge.net/news.html#20070917

Source:

http://research.eeye.com/html/advisories/published/AD20071115.html and http://www.kb.cert.org/vuls/id/544656

Exploits:

AD20071115 (eEye tracking)