Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: CVE-2021-30351 (Read 708 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

CVE-2021-30351

Given the recent security vulnerability issues in the open source ALAC reported. when ( and does it require) foobar2000 to update for the ALAC security vulnerabilities. Pretty much all open source implementors based their code on the 2011 Apple git sources.

Thanks

Re: CVE-2021-30351

Reply #1
The ALAC decoder in foobar2000 is based on the same library but Peter fixed the obvious security issues in his version several years ago. It is quite safe to assume foobar2000 is not affected. All natively supported inputs in foobar2000 have been heavily fuzzed and found library issues have been patched.

Re: CVE-2021-30351

Reply #2
I emailed Check Point Research asking for details about the bug, hopefully they can verify that my code is vulnerable or not before full public disclosure. Still awaiting reply.

That said, original Apple code has glaring security issues, I feel sorry for anyone using that thing instead of my fork with bugs fixed. It seems I do better security auditing of third party code than phone firmware makers do.

If this can't be resolved easily enough, I can swap the offending code for FFmpeg, whose ALAC decoder isn't derived from Apple library and doesn't have such bugs as far as I can tell.
We are the bork. Your software bugs will be added to our own. Resistance is futile.

Re: CVE-2021-30351

Reply #3
I still haven't gotten a reply to my email, so I can't confirm whether this CVE is something new or something that I fixed.

I decided to play it safe and got rid of the Apple library entirely, for foobar2000 v1.6.11.

FFmpeg ALAC code is definitely more mature than the Apple library, even if slightly slower.
We are the bork. Your software bugs will be added to our own. Resistance is futile.

Re: CVE-2021-30351

Reply #4
Sounds great Peter.... perhaps in the release notes, put the version of ffmpeg you upgraded to, like the other flac recent upgrades.  I am using VS 2022 17.1 now and it certainly has great improvements in code gen. any reason why you are not shipping a pure 64 bit foobar 2000 yet ?