GdkPixbuf Suffers Image Decoding Vulnerabilities 291
DNAspark99 writes "It seems Multiple vulnerabilities have been reported in GdkPixbuf, which can be exploited by malicious people to DoS (Denial of Service), and potentially compromise a vulnerable system. Personally, I wasn't concerned about this until I ran 'ldd firefox-bin | grep libgdk_pixbuf'" There's no official patch yet, but the article notes several Linux vendors have issued updates. Worth keeping an eye for those who use libgdk_pixbuf under other Unix-style operating systems as well.
Re:Nothing to see here... (Score:1, Informative)
Who says the parent poster is complaining?
The parent poster was just making an observation... he/she was not passing judgement.
Re:Somebody is busy ... (Score:5, Informative)
as the vsftpd author (http://vsftpd.beasts.org/), and
here (http://scary.beasts.org/security/) are other bugs he found.
Not exploitable in Firefox (Score:5, Informative)
Re:What are you going to do? Mod me -1, flamebait? (Score:3, Informative)
...patch it before the vulnerability is even announced... not six months later.
To head it off at the pass... (Score:5, Informative)
The reason we bash Microsoft for its bugs and security holes is not because they have bugs and holes; the reason is that Microsoft paints itself as the savior of computing, as software that will make your life infallibly better and easier, and along the way has made quite a lot of unethical business decisions. They basically brag about how uber they are, and then they release crappy software and frequently take forever to fix certain bugs (or simply never fix them -- e.g. PNG transparency in IE. What's it at, 3 years and counting? 4?).
The guys who write open source stuff like GdkPixBuf, on the other hand, have not (to my knowledge) done these things. They are thus not deserving of scorn; they write software, release it, and say, "I wrote this because I needed it. If you want to try it out, here you go. Have fun; I don't promise anything."
That's why we mock Microsoft for its bugs and not the GDK team.
(To be fair, I'm certain that there are some OS projects whose developers are as arrogant as Microsoft, but they at least do not have the unethical business history Microsoft does, nor do they (still!) have a monopoly on desktop OSes that they continue to abuse to the detriment of everyone except themselves. It's one thing to be an asshole when you're nobody important; it's quite another when you have a great deal of power.)
Re:Not exploitable in Firefox (Score:5, Informative)
Re:Yeah, I was worried too... (Score:2, Informative)
Re:Not exploitable in Firefox (Score:5, Informative)
Re:Not exploitable in Firefox (Score:5, Informative)
Mike
Not Remotely Exploitable in Firefox (Score:5, Informative)
--Asa
Re:Yeah, I was worried too... (Score:5, Informative)
Re:Not exploitable in Firefox (Score:5, Informative)
It uses libpr0n, Gecko's cross-platform rendering engine to load those images from disk. gdkpixbuf is not used for displaying remote content, even cached remote content.
--Asa
Re:Yeah, I was worried too... (Score:3, Informative)
Son of a BITCH, I was just about to post that! GAH!
(Dear Slashdotters: The command shown above will not harm your computer, but will probably require a reboot to recover from it)
Re:To head it off at the pass... (Score:2, Informative)
Re:Overflow testing (Score:1, Informative)
Re:Somebody is busy ... (Score:4, Informative)
It is often the case that support for some functionality which is buggy in one implementation will be buggy in other implementations as well, so it is pretty common in general for a lot of similar bugs to turn up at the same time.
Re:Not exploitable in Firefox (Score:4, Informative)
Re:FC2 fixed already? (Score:3, Informative)
Re:Yeah, I was worried too... (Score:1, Informative)
SuSE (Score:2, Informative)
Thanks YaST!
Re:Yeah, I was worried too... (Score:4, Informative)
:()
{
}
:
Basically, it defines a function called ":" which, when executed, calls itself recursively twice and puts itself into the background. The last ":" actually executes the function. Thus, one shell forks into two shells, those two shells fork into four shells, those four into eight, etc etc etc.
Re:Overflow testing (Score:5, Informative)
You could run something like lint to catch common C errors.
Better than that though is to profile your code actually running, to see buffer overflows and leaks that actually occur (google for valgrind).
But most of these exploits are specially crafted input that produce buffer overflows. Typical input won't. So it is very hard to test for buffer overflows.
The only 100% way to work these kinds of problems out is to write code in higher level languages, so at least you'll get an exception and fail closed in the case of a buffer overflow.
But in C, the only way to resolve these problems is
1) Don't write code with buffer overflows (hard)
2) Find and fix buffer overflows in code review (harder)
3) Write good enough negative test cases that you find the buffer overflows (really hard for even a good tester).
Re:gnome uses this (Score:4, Informative)
bonobo
galeon
gdm
gnome-control-center
gnome-help
gnome-panel
gnome-session
gnome-utils
libgnomeprint-bin
nautilus
rep-gtk-gnome
sawfish-gnome
xchat-gnome
It's a biggie, all right.
Re:What the hell (Score:1, Informative)
Wtf, what does that mean? It's in the mac world too. Have you seen all the mac vulns that have come out? Just last week they had a few moderately bad ones. And yes they had had remote exploits etc. in the past. There is no OS distribution in existence today that's over five years old that has not had remote exploits in the default install.
Re:What the hell (Score:3, Informative)
Re:gnome uses this (Score:1, Informative)
Well yeah, the library is part of Gtk+ - anything using Gtk+ 2.x uses it. Nothing to do with Gnome specifically.
Re:Not exploitable in Firefox (Score:3, Informative)
Re:To head it off at the pass... (Score:2, Informative)
That is to say, I don't scorn all developers that produce software that has bugs. I scorn those who write software with bugs that gloat about how they write great, easy-to-use, etc software. Clearly, if their software didn't have bugs, there'd be nothing to scorn except their arrogance. If their software didn't actually have all the problems it does, they'd have a well-founded arrogance, and any scorn I'd feel would be jealousy. That's not the case.
Such apps exist... (Score:4, Informative)
A more general prevention method is to use an environment that doesn't allow buffer overflows; as Java proponents never tire of pointing out, Java guards against this type of attack. There are C libraries which do similar things, IIRC; StackGuard was one such method, though it seems to haved faded into obscurity.
As to your suggestion of a static source code check for unsafe programming practices, there are programs that do that too. GCC itself includes a number of warnings that pop up if you use inherently unsafe C library functions, like gets() (which is buffer overflow in a can...).
I love my disro ;) (Score:1, Informative)
And guess what, the patch was allready there.
Gotta love the OSS usually-same-day-patch-cycle.
Thumbs up, SuSe!