Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6278 to the following vulnerability: Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allows user-assisted remote attackers to force a client to download arbitrary files via the MIME-Type URL flag (-->) for the FLAC image file in a crafted .FLAC file. References: http://research.eeye.com/html/advisories/published/AD20071115.html http://www.securityfocus.com/archive/1/archive/1/483765/100/200/threaded http://www.kb.cert.org/vuls/id/544656 http://www.securitytracker.com/id?1018974
" Vulnerability #11: Malformed Image/File Download Vulnerability Using the "-->" MIME-Type flag to signal a URL for a FLAC image file could allow the possibility of arbitrary file downloads if the application does not verify the file-type prior to downloading the file. This could also be combined with GDI+ or other picture rendering vulnerabilities to allow code execution depending on the application. This could also be applied to image files inserted into the FLAC file. Alternatively, this might be a vector to store malicious data, such as an attacker's payload. This could then be combined with another vulnerability to allow a more reliable exploit especially if the data retrieved by the vulnerable application is stored in a reliable memory address. " This is completely bogus. If we have a compromised FLAC, it could contain a link to a compromised server (ie. with a completely bogus mime-type). There would be no way to check the data beforehand. This problem lies solely with the applications and their respective image libraries.
Red Hat does not consider this a security issue. Downloading and opening a file of unknown type from potentially untrusted location does not impose any security risks and it's normally done by other applications such as web browsers and e-mail clients.