Forgot your password?
typodupeerror
Security Software Linux

GdkPixbuf Suffers Image Decoding Vulnerabilities 291

Posted by CowboyNeal
from the heads-up dept.
DNAspark99 writes "It seems Multiple vulnerabilities have been reported in GdkPixbuf, which can be exploited by malicious people to DoS (Denial of Service), and potentially compromise a vulnerable system. Personally, I wasn't concerned about this until I ran 'ldd firefox-bin | grep libgdk_pixbuf'" There's no official patch yet, but the article notes several Linux vendors have issued updates. Worth keeping an eye for those who use libgdk_pixbuf under other Unix-style operating systems as well.
This discussion has been archived. No new comments can be posted.

GdkPixbuf Suffers Image Decoding Vulnerabilities

Comments Filter:
  • by gnuman99 (746007) on Thursday September 16, 2004 @06:47PM (#10272134)
    More bugs. More fixes. More patches. This is the software cycle...
    • What would you prefer? To stop the patches and fixes, you want no new bugs. To have no new bugs, the product won't evolve. If you want a moving-forward product, don't complain :)
      • by cyb97 (520582)
        Trying to secondguess what the OP meant (ofcourse influenced by my own opinion), every bug or patch isn't really slashdot-worthy. This one certainly ain't groundbreaking news...
    • by Anonymous Coward
      Though this isn't a kernel exploit, I thought one selling point of Linux was the "millions" of eyes on the code to prevent problems such as this in such highly re-used software as libraries. When MS announces these things, it's called crappy code; when Linux does this, it's simply "normal software life-cycle". Does nobody else see this as strange? I can't wait for the proverbial monkeys to start pounding away on all the upcoming Linux boxes and the inevitable number of bugs to be discovered.

      Hmm, gue

      • Though this isn't a kernel exploit, I thought one selling point of Linux was the "millions" of eyes on the code to prevent problems such as this in such highly re-used software as libraries.

        You seem to be missing the point. ALL software has bugs and those bugs need to be found the removed. That is the software cycle.

        I can't wait for the proverbial monkeys to start pounding away on all the upcoming Linux boxes and the inevitable number of bugs to be discovered.

        You know, I can't wait either because the

      • if you didn't realize by reading the news in the last week, it doesn't matter how long your software is attacked, new bugs are found. Yes, guess what, even microsoft has vulnerabilities announced every month. Millions of eyes on the code can help and obviously it did. We didn't hear about the new virus out there in order to find out about this exploit, we just found out about this exploit. Millions of eyes don't prevent mistakes, they do help find them faster and patch them quicker. And of course, even
  • gnome uses this (Score:5, Insightful)

    by kinko (82040) on Thursday September 16, 2004 @06:48PM (#10272142)
    If you're not aware, gnome2 uses this library, so any gtk2/gnome2 applications you use are probably linked against libgdk_pixbuf.

    update your systems...
    • Re:gnome uses this (Score:4, Informative)

      by http (589131) on Thursday September 16, 2004 @09:01PM (#10273143) Homepage Journal
      I tried "apt-get --dry-run --purge remove libgdk-pixbuf2 libgdk-pixbuf-gnome2" and the list of packages was _long_. I do not have a gnome-heavy system, either. Some choice selections:
      bonobo
      galeon
      gdm
      gnome-control-center
      gnome-help
      gnome-panel
      gnome-session
      gnome-utils
      libgnomeprint-bin
      nautilus
      rep-gtk-gnome
      sawfish-gnome
      xchat-gnome

      It's a biggie, all right.
  • by crimethinker (721591) on Thursday September 16, 2004 @06:48PM (#10272145)
    I think this is the fourth vulnerability related to image decoding I've seen in the past month or so. Methinks somebody is doing a thorough code review of open source image libraries, the stolen NT code (remember the Windows BMP vuln?), and, where source can't be obtained, thinking about where it might be vulnerable. I just wish people with that much determination would concentrate on fixing the bugs, instead of exploiting them ... so much wasted talent.

    sigh Time to tell the idealist in me to STFU.

    -paul

    • by Anonymous Coward on Thursday September 16, 2004 @06:56PM (#10272218)
      The one who found this vuln is Chris Evans, as known
      as the vsftpd author (http://vsftpd.beasts.org/), and
      here (http://scary.beasts.org/security/) are other bugs he found.
    • by BeBoxer (14448) on Thursday September 16, 2004 @06:57PM (#10272232)
      I just wish people with that much determination would concentrate on fixing the bugs, instead of exploiting them ... so much wasted talent.

      What we really need is a web page summarizing all the recent bugs in media decoding (mpg123 I think just had one) as a "how not to program" guide and then make it mandatory reading to get a sourceforge account. I think it's great folks are out looking for these bugs, but it's an embarrasement that there are this many being found so quickly. To me that indicates that there are a crapload of them out there.

      It makes me want to go on vacation for six months and do one upgrade when I get back. Instead of doing one a day for the next six months.
      • It makes me want to go on vacation for six months and do one upgrade when I get back. Instead of doing one a day for the next six months.
        Why not just set up automated security updates?

    • ...fourth vulnerability related to image decoding I've seen in the past month...

      Yes, yes, people are starting to notice...

      Methinks somebody is doing a thorough code review (..)

      Naahhh, it must be a global conspiracy! We just didn't find out yet who is The Evil One behind all this...

    • by PitaBred (632671) <slashdot.pitabred@dyndns@org> on Thursday September 16, 2004 @06:59PM (#10272254) Homepage
      The thing is, you now know about the vulnerability. I'd rather know about it and fix it than not know about it and let someone exploit it. It's a GOOD thing that people are finding these and reporting them. They'll found either way...
    • by ZuperDee (161571) <zuperdee@yaho[ ]om ['o.c' in gap]> on Thursday September 16, 2004 @07:01PM (#10272263) Homepage Journal
      I just wish people with that much determination would concentrate on fixing the bugs, instead of exploiting them ... so much wasted talent.

      Why should they?!? If I ask a question, why should I also have to provide an answer? That is a stupid attitude to have. If everyone who asked questions had the answers, there'd be no questions to ask.

      Likewise, why look a gift horse in the mouth when he points out a vulnerability like that? Exploiting is a different art from coding to many people. Maybe it just so happens that some people are better at seeing things that others don't catch?

      And don't blame the tools, either. I hear too often people saying things like "if only it were in Java instead of C++, this would not be a problem." A poor workman always blames his tools. A poor musician can ALWAYS say "if only I had a better instrument, I could be a better musician." One simple word for that: Balderdash.
    • by iabervon (1971) on Thursday September 16, 2004 @08:08PM (#10272835) Homepage Journal
      You need to write exploits in order to test whether you've actually fixed the bugs, and in order to determine whether the code is actually correct for some reason you're not seeing.

      It is often the case that support for some functionality which is buggy in one implementation will be buggy in other implementations as well, so it is pretty common in general for a lot of similar bugs to turn up at the same time.
    • by cowbutt (21077)
      Methinks somebody is doing a thorough code review of open source image libraries, the stolen NT code (remember the Windows BMP vuln?), and, where source can't be obtained, thinking about where it might be vulnerable.

      I wouldn't be surprised if people are just testing the proof-of-concept demonstration files intended to break other image decoding code and finding that it breaks their code too, maybe in a slightly different way. It's not uncommon for separate programmers to make the same thinkos even if they

      • by Ayanami Rei (621112) * <`moc.liamg' `ta' `imanayar'> on Thursday September 16, 2004 @11:48PM (#10274020) Journal
        As long as it's not a RAW screendump or uncompressed TIFF file or something, there's going to be some interpretation of the file's content to produce the human-consumable output. And it'll be based on a parameterized command stream. And if the interpretation of those parameters is not handled rigourously, or if the system does not account for every possible combination of commands, well then you're ripe for an exploit.

        That's basically EVERY file format.

        Even text can be dangerous. Ever heard of a terminal or ANSI bomb [kernelthread.com]? (scroll down in link).

        The only "safe" viewer is a hex editor. Or less (maybe, you get the idea).

  • by 2forshow (810467) on Thursday September 16, 2004 @06:55PM (#10272210)
    There will always be vulnerabilities. Since people can't produce perfect code there will always be a way for someone to make a flaw into a vulnerability. Therefore there will always be patches and updates(relating to security measures). The only way to stop these flaws from becoming an issue, like this one, is to stop crackers. And good luck with that.
  • by Anonymous Coward on Thursday September 16, 2004 @06:56PM (#10272219)
    Time to switch. Take back the Web. [microsoft.com]

    Vote against shoddy software with your clicks.
  • by prestwich (123353) on Thursday September 16, 2004 @06:56PM (#10272224) Homepage
    It strikes me that it would be a good use of any spare capacity some search engines might have to search for image headers on web sites, that are attempting to exploit these types of problems.
  • by sppavlov (809156) on Thursday September 16, 2004 @06:58PM (#10272247)
    The only places using gdk-pixbuf in Firefox for loading images are all for loading images from your local machine. No from-the-network code paths use gdk-pixbuf.
  • by spoco2 (322835) on Thursday September 16, 2004 @07:01PM (#10272264)
    Last time I ran "ldd firefox-bin | grep libgdk_pixbuf". I was pretty worried that I had no frigging idea what the hell I was typing.
  • Yawn (Score:3, Insightful)

    by ChiralSoftware (743411) <info@chiralsoftware.net> on Thursday September 16, 2004 @07:03PM (#10272282) Homepage
    Maybe Slashdot should have a separate section for this? As I've said again [slashdot.org] and again [slashdot.org], we will keep having these types of vulnerabilities until we start using languages with safe pointers and safe memory operations. NX bits, library loading location randomization help too.

    I was just using the Icesoft Java web browser [icesoft.com] and the Fluendo media player [fluendo.com]. These are both big applications written in 100% pure Java. They both don't have buffer overflows because Java doesn't have buffers (in the C sense). How many security holes do we need to see every week?

    • How are the responsiveness of the Icesoft Java web browser and the Fluendo media player? I may get flamed for make this comment but I'm not too happy with the performance (speed wise) of Java application I've seen so far.
      • Re:Yawn (Score:3, Interesting)

        by LnxAddct (679316)
        The only slow programs in java are poorly implemented and use the Swing GUI toolkit in the wrong way. I personally like using Swing, and I use it efficiently, but in many cases the SWT toolkit by Eclipse will be jsut fine as well. SWT is a lighter, faster, toolkit that uses the native toolkit of the system. Java is extrememly fast, easily as fast as C++, if you need something faster then Java you should be using assembly. Read this [sun.com]. Also, the new JVMs by Sun have a feature called Hotspot, what this does is
        • On the desktop I don't want to put up with the load times of a VM and the fact that many applications are written to a particular VM, whether that be a particular point rev of Sun's JVM or Microsoft's. So much for write once, run anywhere. So how many JVMs do I have to put up with on my machine to realize this nirvana of no buffer overflows, exactly?

          In regards to being an amateur, I was in this business when you were in diapers, if your email address is any indication. Put simply, if I know the end user
        • Re:Yawn (Score:3, Insightful)

          by argent (18001)
          The problem with Java isn't the speed of the runtime once it starts running, it's the huge bloody overhead as it cranks the JVM up. Of course you can use a shared JVM, if you want to abandon hard protection barriers between unrelated processes. It's fine in a webserver, but keep it away from my command line.

          There are safe languages with a lot less startup overhead than Java. Even quite slow languages like /bin/sh are better suited to a traditional UNIX environment.
    • Re:Yawn (Score:2, Interesting)

      by Anonymous Coward
      Isn't there also the "D" programming language, which as far as I know, has many of the advantages of Java and C# (does not use unsafe pointers by default for instance) but has the advantage of producing proper compiled code.

      The experience I have of "trying" to use Java programs of any size (I don't think I've come on a .NET one) has so far been very painful. They keep telling me how it is so much faster now, and how computers being so much faster using an interpreted language is not that bad, but that's j
  • This is why I really hate when people start wars about one platform over another over security. No one is perfect, and errors like this will happen. The only real way to attempt to prevent flaws like this is more strict code reviews and more testing and debugging. Even those actions won't always find a problem like this because sometimes the problem is outside the bounds of the program's normal operation (ie invalid data in an image that wouldn't be found by testing with real images). All we can do is h
    • And that the people without hats stop clicking on the damn things. "Ooh, more free porn"
    • This is why I really hate when people start wars about one platform over another over security. No one is perfect, and errors like this will happen.

      It's not the errors like this that bothers me about Windows.

      It's the design flaws that get exploited over and over again that are unique to Windows and they refuse to fix for political reasons. I mean, mail software that automatically executed scripts used to be a joke. We all knew that nobody would ever release a program like that, or if they did they'd rem
  • by Dirtside (91468) on Thursday September 16, 2004 @07:05PM (#10272303) Journal
    There's a particular comment which we'll see about a thousand times on this thread alone, the gist of which will be, "See? Even open source has bugs/security holes! It's no better than Microsoft!"

    The reason we bash Microsoft for its bugs and security holes is not because they have bugs and holes; the reason is that Microsoft paints itself as the savior of computing, as software that will make your life infallibly better and easier, and along the way has made quite a lot of unethical business decisions. They basically brag about how uber they are, and then they release crappy software and frequently take forever to fix certain bugs (or simply never fix them -- e.g. PNG transparency in IE. What's it at, 3 years and counting? 4?).

    The guys who write open source stuff like GdkPixBuf, on the other hand, have not (to my knowledge) done these things. They are thus not deserving of scorn; they write software, release it, and say, "I wrote this because I needed it. If you want to try it out, here you go. Have fun; I don't promise anything."

    That's why we mock Microsoft for its bugs and not the GDK team.

    (To be fair, I'm certain that there are some OS projects whose developers are as arrogant as Microsoft, but they at least do not have the unethical business history Microsoft does, nor do they (still!) have a monopoly on desktop OSes that they continue to abuse to the detriment of everyone except themselves. It's one thing to be an asshole when you're nobody important; it's quite another when you have a great deal of power.)
    • There's a particular comment which we'll see about a thousand times on this thread alone, the gist of which will be, "See? Even open source has bugs/security holes! It's no better than Microsoft!"

      Um, actually I haven't seen it once in this thread yet. You sure this is the right thread?

    • I just wanted to point out that the lack of support for PNG Transparency in Internet Explorer is NOT a bug - according to the spec [libpng.org], it's optional...

      Viewers can support transparency control partially, or not at all.

      (Note: I'm not pro-Windows, I use Slackware [slackware.com] on a daily basis, but I'm just tired of people claiming the above as a bug)

      • My bad; I didn't know it wasn't part of the spec. Nonetheless, MS has in the past both spoken of its commitment to open web standards (and partly implementing them is not much of a commitment), and from what I've been able to find with a little Googling, MS stated sometime around 2000 that they intended to implement the full PNG spec, which they haven't. So even if it's not a bug, it's at least a broken promise.
    • In other words, the reason why everyone complains about Microsoft's software has nothing to do with Microsoft's software. Well, at least you're being honest.
      • In other words, the reason why everyone complains about Microsoft's software has nothing to do with Microsoft's software. Well, at least you're being honest.
        What? I didn't say that. The scorn is the response to the combination of bad software practices, arrogance, and monopolistic abuse. There are certainly crappy OSS projects out there, although whether or not OSS produces better or worse software is an entirely different debate.
        • Oh, sorry. When you said "The reason we bash Microsoft for its bugs and security holes is not because they have bugs and holes; the reason is that Microsoft paints itself as the savior of computing, as software that will make your life infallibly better and easier, and along the way has made quite a lot of unethical business decisions," I thought you meant it.
  • We're not going to see the open source to a universal buffer object, with complete bounds checking, that every single buffer-requiring codepath calls, any time soon. So how about a "security watch" object that checks a specifiable URL for security announcements, which sends a message to a DB that notifies the sysadmin of security announcements, from warnings to patches? The DB could be set with alternate URLs, the watch object could require corroboration from multiple sources, the site policy could default
    • Which would probably work just fine as long as your fire department wasn't known as Microsoft.
      • That's the idea: take the promise of Microsoft Update, and deliver it with a dependable, decentralized infrastructure plugged into the community. Even in NYC a century ago, when firefighters were private companies contracted by individual insurance companies to protect individual buildings, the landlords didn't own the fire companies, even though it was apparently in their best interest. That model eventually stabilized into the government organized volunteer force now cooperatively covering all buildings i
  • by Quixote (154172) on Thursday September 16, 2004 @07:09PM (#10272370) Homepage Journal
    It would be useful if someone could post the sourcecode snippets, and show exactly how these vulnerabilities was caused. This is the advantage of OSS: you can dig into the sources and analyze them completely.

    --
    A neighborhood's tale [elmwoodstrip.com]

  • by asa (33102) <asa@mozilla.com> on Thursday September 16, 2004 @07:11PM (#10272387) Homepage
    Firefox doesn't use gdk-pixbuf for drawing it's images. The only places using gdk-pixbuf in Firefox are loading a couple of images from your hard drive into the browser UI -- like the little Windows desktop icon that shows up in the download manager UI. This isn't remotely exploitable in Firefox.

    --Asa
    • Sounds like time to strace Firefox and search for calls to gdk-pixbuf functions. I am on a shitty winders machine right now or I would do it myself.
    • And neither in Mozilla Suite I suppose?
    • What if somebody uploaded a browser theme that had a craftily designed texture or image?

      Wouldn't that fall under the banner of exploitable?

      Are these theme files automatically associated for download with Firefox?

      Could somebody build a webpage offering downloads of these, or even get one onto the theme manager listing?

      All pretty far out, but at least possible.

      This is like finding out a nasty flu is going round. There is an exploit in something I use, I do not feel comfortable using it even though norma
  • Overflow testing (Score:3, Insightful)

    by phorm (591458) on Thursday September 16, 2004 @07:36PM (#10272605) Journal
    How hard would it be to write a program that could be used to test apps against buffer overflow errors. This should be given the source of the app, where one could exclude various procedures (i.e. when the calling procecedure already tests for overflow).

    Difficult, impossible. Helpful or useless?

    I'd imagine that with such tools hackers could also test your code for overflows, but if it became mainstream to hardcore test for such things then perhaps they wouldn't have the opportunity.
    • Re:Overflow testing (Score:5, Informative)

      by jhoger (519683) on Thursday September 16, 2004 @09:00PM (#10273140) Homepage
      There is no algorithm to do what you are describing (google for "halting problem")

      You could run something like lint to catch common C errors.

      Better than that though is to profile your code actually running, to see buffer overflows and leaks that actually occur (google for valgrind).

      But most of these exploits are specially crafted input that produce buffer overflows. Typical input won't. So it is very hard to test for buffer overflows.

      The only 100% way to work these kinds of problems out is to write code in higher level languages, so at least you'll get an exception and fail closed in the case of a buffer overflow.

      But in C, the only way to resolve these problems is

      1) Don't write code with buffer overflows (hard)
      2) Find and fix buffer overflows in code review (harder)
      3) Write good enough negative test cases that you find the buffer overflows (really hard for even a good tester).

      • I compile a LOT of my libraries on my box (it's an FC1 hybrid) and my other box is a gentoo.

        Most of the exploits (ie actual "exploits") depend on the EIP or some other register being clobbered or the stack being smashed to execute a data block. Metasploit has a nice database of such clobberable locations [metasploit.com] for Windows

        So if you compile your own stuff with your own "-O3 -fomit-frame-pointer -fstack-protector", you may be breaking the binary compatibility of exploit :). Most ordinary exploits will fail fo

    • Such apps exist... (Score:4, Informative)

      by Goonie (8651) * <robert...merkel@@@benambra...org> on Friday September 17, 2004 @12:40AM (#10274250) Homepage
      I've seen applications that test command-line apps for buffer overflows. They work, and have been used to detect potentially exploitable bugs. The general principle can be used to test other types of apps, though obviously you have to adapt the program for each type of program input.

      A more general prevention method is to use an environment that doesn't allow buffer overflows; as Java proponents never tire of pointing out, Java guards against this type of attack. There are C libraries which do similar things, IIRC; StackGuard was one such method, though it seems to haved faded into obscurity.

      As to your suggestion of a static source code check for unsafe programming practices, there are programs that do that too. GCC itself includes a number of warnings that pop up if you use inherently unsafe C library functions, like gets() (which is buffer overflow in a can...).

  • SuSE (Score:2, Informative)

    by karniv0re (746499)
    gdk-pixbuf - Fixes for security problems in gdk-pixbuf

    This update fixes three vulnerabilites found in the XPM loader code of the GDK Pixbuf Library. They are registered as: CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm CAN-2004-0783 Stack-based overflow in xpm_extract_color CAN-2004-0788 ico loader integer overflow.


    Thanks YaST!
  • I did a yum update the other day for my Fedora Core 1 laptop - and it downloaded a new gdk_pixbuf package that broke VMWare so that I couldn't get it to run.

    I'd guess this pixbuf is used to draw the widgets in XWindows. Here's a thread on this. [vmware.com]

    I had to go through some contortions to get yum to retrograde my FC laptop and get VMWare (a show-stopper if not working) going.

    Since now there's a *new* vulnerability, I'm waiting until the dust settles and this is reasonably resolved before I try this again.

    Fi
  • Very similar (Score:4, Interesting)

    by FullCircle (643323) on Friday September 17, 2004 @01:52AM (#10274457)
    Isn't it a bit odd that these libraries are failing on both Windows and Linux?

    I wonder of someone has been stealing source code?

    • Not at all similar (Score:3, Insightful)

      by FreeUser (11483)
      Isn't it a bit odd that these libraries are failing on both Windows and Linux?

      I wonder of someone has been stealing source code?


      While it is possible Microsoft may have violated the licenses of open source and free software projects, it is doubtful. It is virtually certain that the opposite is not the case, unless Microsoft lackeys are deliberately trying to poison the well, in which case a court would find the Microsoft willfully released the code into the wild, effectively licensing it. That isn't ve

We are not a loved organization, but we are a respected one. -- John Fisher

Working...