unfortunately the /. story hit while I was traveling but let me reiterate the basic points.
- vulnerabilities were specifically in libFLAC, versions up to and including 1.2.0, fixed in 1.2.1. they are not related to the format itself or other non-libFLAC-based decoders (e.g. ffmpeg/mplayer). upgrade to 1.2.1 and you're fine. - a FLAC file has to be specifically crafted to exploit the vulnerability, which would include a payload of executable code, and the code is cpu-specific. e.g. if you were to get a malicious file with an x86 trojan, it will not result in a squeezebox executing the trojan. - it's pretty hard to reliably exploit, no known cases exist in the wild, and trojan code executes at the same privilege level as the decoder (typically user level, unless you're a windows user running everything as administrator in which case you have much bigger problems). - malicious files should be pretty easy to detect so I plan to write a fast scanner soon just to ease people's minds. Josh -- Josh Coalson ------------------------------------------------------------------------ Josh Coalson's Profile: http://forums.slimdevices.com/member.php?userid=2651 View this thread: http://forums.slimdevices.com/showthread.php?t=40287 _______________________________________________ ripping mailing list [email protected] http://lists.slimdevices.com/lists/listinfo/ripping
