Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security Software Linux

GdkPixbuf Suffers Image Decoding Vulnerabilities 291

Posted by CowboyNeal from the heads-up dept.
DNAspark99 writes "It seems Multiple vulnerabilities have been reported in GdkPixbuf, which can be exploited by malicious people to DoS (Denial of Service), and potentially compromise a vulnerable system. Personally, I wasn't concerned about this until I ran 'ldd firefox-bin | grep libgdk_pixbuf'" There's no official patch yet, but the article notes several Linux vendors have issued updates. Worth keeping an eye for those who use libgdk_pixbuf under other Unix-style operating systems as well.
This discussion has been archived. No new comments can be posted.

GdkPixbuf Suffers Image Decoding Vulnerabilities More

GdkPixbuf Suffers Image Decoding Vulnerabilities

Comments Filter:

  • Re:Nothing to see here... (Score:1, Informative)

    by Anonymous Coward on Thursday September 16, 2004 @06:55PM (#10272214)


    Who says the parent poster is complaining?

    The parent poster was just making an observation... he/she was not passing judgement.

  • Re:Somebody is busy ... (Score:5, Informative)

    by Anonymous Coward on Thursday September 16, 2004 @06:56PM (#10272218)
    The one who found this vuln is Chris Evans, as known
    as the vsftpd author (http://vsftpd.beasts.org/), and
    here (http://scary.beasts.org/security/) are other bugs he found.

  • Not exploitable in Firefox (Score:5, Informative)

    by sppavlov ( 809156 ) on Thursday September 16, 2004 @06:58PM (#10272247)
    The only places using gdk-pixbuf in Firefox for loading images are all for loading images from your local machine. No from-the-network code paths use gdk-pixbuf.

  • Re:What are you going to do? Mod me -1, flamebait? (Score:3, Informative)

    by ScArE2100 ( 663201 ) on Thursday September 16, 2004 @07:03PM (#10272281) Journal
    Now your GNU/Hippie software is vulnverable what are you going to do about it?!

    ...patch it before the vulnerability is even announced... not six months later.

  • To head it off at the pass... (Score:5, Informative)

    by Dirtside ( 91468 ) on Thursday September 16, 2004 @07:05PM (#10272303) Journal
    There's a particular comment which we'll see about a thousand times on this thread alone, the gist of which will be, "See? Even open source has bugs/security holes! It's no better than Microsoft!"

    The reason we bash Microsoft for its bugs and security holes is not because they have bugs and holes; the reason is that Microsoft paints itself as the savior of computing, as software that will make your life infallibly better and easier, and along the way has made quite a lot of unethical business decisions. They basically brag about how uber they are, and then they release crappy software and frequently take forever to fix certain bugs (or simply never fix them -- e.g. PNG transparency in IE. What's it at, 3 years and counting? 4?).

    The guys who write open source stuff like GdkPixBuf, on the other hand, have not (to my knowledge) done these things. They are thus not deserving of scorn; they write software, release it, and say, "I wrote this because I needed it. If you want to try it out, here you go. Have fun; I don't promise anything."

    That's why we mock Microsoft for its bugs and not the GDK team.

    (To be fair, I'm certain that there are some OS projects whose developers are as arrogant as Microsoft, but they at least do not have the unethical business history Microsoft does, nor do they (still!) have a monopoly on desktop OSes that they continue to abuse to the detriment of everyone except themselves. It's one thing to be an asshole when you're nobody important; it's quite another when you have a great deal of power.)

  • Re:Not exploitable in Firefox (Score:5, Informative)

    by sppavlov ( 809156 ) on Thursday September 16, 2004 @07:06PM (#10272314)
    Mozilla does not use gdk-pixbuf for drawing images -- stuart "pavlov" parmenter (mozilla image library owner)

  • Re:Yeah, I was worried too... (Score:2, Informative)

    by nbert ( 785663 ) on Thursday September 16, 2004 @07:08PM (#10272347) Homepage Journal
    Last time I ran "ldd firefox-bin | grep libgdk_pixbuf". I was pretty worried that I had no frigging idea what the hell I was typing.
    That pretty much sums up my feelings when I read it. But the first line of the man page says it all:
    ldd - print shared library dependencies

  • Re:Not exploitable in Firefox (Score:5, Informative)

    by sppavlov ( 809156 ) on Thursday September 16, 2004 @07:08PM (#10272349)
    We only use a single code path for rendering images. We only use gdk-pixbuf to decode GNOME images to find icons for mimetypes.

  • Re:Not exploitable in Firefox (Score:5, Informative)

    by Mike Shaver ( 7985 ) on Thursday September 16, 2004 @07:09PM (#10272367) Homepage
    Firefox uses gdkpixbuf for system MIME-type icons and window icons, which are loaded from the local system (GNOME icons or the firefox distribution). It does not use gdkpixbuf for decoding or displaying web-fetched images; it uses the Mozilla cross-platform image library (libpr0n), calling out to libpng, libjpeg and libgif as required underneath.

    Mike

  • Not Remotely Exploitable in Firefox (Score:5, Informative)

    by asa ( 33102 ) <asa@mozilla.com> on Thursday September 16, 2004 @07:11PM (#10272387) Homepage
    Firefox doesn't use gdk-pixbuf for drawing it's images. The only places using gdk-pixbuf in Firefox are loading a couple of images from your hard drive into the browser UI -- like the little Windows desktop icon that shows up in the download manager UI. This isn't remotely exploitable in Firefox.

    --Asa

  • Re:Yeah, I was worried too... (Score:5, Informative)

    by cyb97 ( 520582 ) <cyb97@noxtension.com> on Thursday September 16, 2004 @07:23PM (#10272520) Homepage Journal
    it's always uncool to run unknown commands that you've seen on slashdot ;-)

  • Re:Not exploitable in Firefox (Score:5, Informative)

    by asa ( 33102 ) <asa@mozilla.com> on Thursday September 16, 2004 @07:36PM (#10272608) Homepage
    "So Firefox doesn't ever save an image file that was HTTP'd off the network to a cache directory and load it from disk as needed?"

    It uses libpr0n, Gecko's cross-platform rendering engine to load those images from disk. gdkpixbuf is not used for displaying remote content, even cached remote content.

    --Asa

  • Re:Yeah, I was worried too... (Score:3, Informative)

    by pclminion ( 145572 ) on Thursday September 16, 2004 @07:37PM (#10272622)
    :(){ :|:& };:

    Son of a BITCH, I was just about to post that! GAH!

    (Dear Slashdotters: The command shown above will not harm your computer, but will probably require a reboot to recover from it)

  • Re:To head it off at the pass... (Score:2, Informative)

    by LordP ( 96602 ) on Thursday September 16, 2004 @07:44PM (#10272680) Homepage
    I just wanted to point out that the lack of support for PNG Transparency in Internet Explorer is NOT a bug - according to the spec [libpng.org], it's optional...
    Viewers can support transparency control partially, or not at all.
    (Note: I'm not pro-Windows, I use Slackware [slackware.com] on a daily basis, but I'm just tired of people claiming the above as a bug)

  • Re:Overflow testing (Score:1, Informative)

    by Anonymous Coward on Thursday September 16, 2004 @08:07PM (#10272828)
    Actually, such programs already exist. For example, valgrind [kde.org] does that and more:
    * Use of uninitialised memory

    * Reading/writing memory after it has been free'd
    * Reading/writing off the end of malloc'd blocks
    * Reading/writing inappropriate areas on the stack
    * Memory leaks -- where pointers to malloc'd blocks are lost forever
    * Passing of uninitialised and/or unaddressible memory to system calls
    * Mismatched use of malloc/new/new [] vs free/delete/delete []
    * Overlapping src and dst pointers in memcpy() and related functions
    * Some misuses of the POSIX pthreads API

  • Re:Somebody is busy ... (Score:4, Informative)

    by iabervon ( 1971 ) on Thursday September 16, 2004 @08:08PM (#10272835) Homepage Journal
    You need to write exploits in order to test whether you've actually fixed the bugs, and in order to determine whether the code is actually correct for some reason you're not seeing.

    It is often the case that support for some functionality which is buggy in one implementation will be buggy in other implementations as well, so it is pretty common in general for a lot of similar bugs to turn up at the same time.

  • Re:Not exploitable in Firefox (Score:4, Informative)

    by Compenguin ( 175952 ) on Thursday September 16, 2004 @08:12PM (#10272855)
    Mozilla uses gdk-pixbuf via gtk to draw ui widgets, it uses libpr0n to render graphics in web pages. libpr0n runs on all platfors mozilla targets, gdk-pixbuf is a solution for gtk+ widget integration on X11.

  • Re:FC2 fixed already? (Score:3, Informative)

    by Compenguin ( 175952 ) on Thursday September 16, 2004 @08:28PM (#10272955)
    ldd searches for dynamic dependancies, hence no need for a new packages. Mozilla's gdk_pixbuf will be updated by the updated gdk_pixbuf containg package.

  • Re:Yeah, I was worried too... (Score:1, Informative)

    by Anonymous Coward on Thursday September 16, 2004 @08:39PM (#10273015)
    It's called a "fork bomb." Search for that term on Google, and you should get a better idea of what you shouldn't be pasting into your terminal. :>

  • SuSE (Score:2, Informative)

    by karniv0re ( 746499 ) on Thursday September 16, 2004 @08:49PM (#10273072) Journal
    gdk-pixbuf - Fixes for security problems in gdk-pixbuf

    This update fixes three vulnerabilites found in the XPM loader code of the GDK Pixbuf Library. They are registered as: CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm CAN-2004-0783 Stack-based overflow in xpm_extract_color CAN-2004-0788 ico loader integer overflow.


    Thanks YaST!

  • Re:Yeah, I was worried too... (Score:4, Informative)

    by pclminion ( 145572 ) on Thursday September 16, 2004 @08:58PM (#10273127)
    It makes more sense when you format it differently. It's a shell script (sorry to post as text, can't get the indentation to work otherwise):

    :()
    {
    :|: &
    }
    :

    Basically, it defines a function called ":" which, when executed, calls itself recursively twice and puts itself into the background. The last ":" actually executes the function. Thus, one shell forks into two shells, those two shells fork into four shells, those four into eight, etc etc etc.

  • Re:Overflow testing (Score:5, Informative)

    by jhoger ( 519683 ) on Thursday September 16, 2004 @09:00PM (#10273140) Homepage
    There is no algorithm to do what you are describing (google for "halting problem")

    You could run something like lint to catch common C errors.

    Better than that though is to profile your code actually running, to see buffer overflows and leaks that actually occur (google for valgrind).

    But most of these exploits are specially crafted input that produce buffer overflows. Typical input won't. So it is very hard to test for buffer overflows.

    The only 100% way to work these kinds of problems out is to write code in higher level languages, so at least you'll get an exception and fail closed in the case of a buffer overflow.

    But in C, the only way to resolve these problems is

    1) Don't write code with buffer overflows (hard)
    2) Find and fix buffer overflows in code review (harder)
    3) Write good enough negative test cases that you find the buffer overflows (really hard for even a good tester).

  • Re:gnome uses this (Score:4, Informative)

    by http ( 589131 ) on Thursday September 16, 2004 @09:01PM (#10273143) Homepage Journal
    I tried "apt-get --dry-run --purge remove libgdk-pixbuf2 libgdk-pixbuf-gnome2" and the list of packages was _long_. I do not have a gnome-heavy system, either. Some choice selections:
    bonobo
    galeon
    gdm
    gnome-control-center
    gnome-help
    gnome-panel
    gnome-session
    gnome-utils
    libgnomeprint-bin
    nautilus
    rep-gtk-gnome
    sawfish-gnome
    xchat-gnome

    It's a biggie, all right.

  • Re:What the hell (Score:1, Informative)

    by Anonymous Coward on Thursday September 16, 2004 @09:33PM (#10273315)
    Now it seems this is universal, or at the very least universal outside the macintosh world.

    Wtf, what does that mean? It's in the mac world too. Have you seen all the mac vulns that have come out? Just last week they had a few moderately bad ones. And yes they had had remote exploits etc. in the past. There is no OS distribution in existence today that's over five years old that has not had remote exploits in the default install.

  • Re:What the hell (Score:3, Informative)

    by be-fan ( 61476 ) on Thursday September 16, 2004 @09:34PM (#10273319)
    In a language without pointers, array-bounds checks impose a 1-3% performance hit. This is because advanced optimizers can usually remove most of the array-bounds checks. In practice, safe natively compiled languages (Ocaml, Lisp) can get within 10% - 20% the performance of C. 10% - 20% for the sake of security is a trade-off I'm willing to make. Obviously, the current C recommendation of "learn to write secure code in a language that encourages you not to" isn't working, because buffer-overflow vulnerabilities are rampant. It's time to throw that idea out the window.

  • Re:gnome uses this (Score:1, Informative)

    by Anonymous Coward on Thursday September 16, 2004 @10:28PM (#10273554)
    I tried "apt-get --dry-run --purge remove libgdk-pixbuf2 libgdk-pixbuf-gnome2" and the list of packages was _long_. I do not have a gnome-heavy system, either.

    Well yeah, the library is part of Gtk+ - anything using Gtk+ 2.x uses it. Nothing to do with Gnome specifically.

  • Re:Not exploitable in Firefox (Score:3, Informative)

    by TelJanin ( 784836 ) on Friday September 17, 2004 @12:03AM (#10274095)
    Wow, libpr0n does exist [libpr0n.com]. I thought it was just a joke.

  • Re:To head it off at the pass... (Score:2, Informative)

    by 10101001 10101001 ( 732688 ) on Friday September 17, 2004 @12:17AM (#10274156) Journal
    Maybe an analogy would make it more clear? I don't scorn drug users. I scorn drug users who go around running over people because they're stoned while claiming they're perfectly okay to be doing drug.

    That is to say, I don't scorn all developers that produce software that has bugs. I scorn those who write software with bugs that gloat about how they write great, easy-to-use, etc software. Clearly, if their software didn't have bugs, there'd be nothing to scorn except their arrogance. If their software didn't actually have all the problems it does, they'd have a well-founded arrogance, and any scorn I'd feel would be jealousy. That's not the case.

  • Such apps exist... (Score:4, Informative)

    by Goonie ( 8651 ) * <robert.merkel@be ... g ['ra.' in gap]> on Friday September 17, 2004 @12:40AM (#10274250) Homepage
    I've seen applications that test command-line apps for buffer overflows. They work, and have been used to detect potentially exploitable bugs. The general principle can be used to test other types of apps, though obviously you have to adapt the program for each type of program input.

    A more general prevention method is to use an environment that doesn't allow buffer overflows; as Java proponents never tire of pointing out, Java guards against this type of attack. There are C libraries which do similar things, IIRC; StackGuard was one such method, though it seems to haved faded into obscurity.

    As to your suggestion of a static source code check for unsafe programming practices, there are programs that do that too. GCC itself includes a number of warnings that pop up if you use inherently unsafe C library functions, like gets() (which is buffer overflow in a can...).

  • I love my disro ;) (Score:1, Informative)

    by Anonymous Coward on Friday September 17, 2004 @01:44AM (#10274427)
    I just woke up, red this, and checked the SuSe update.
    And guess what, the patch was allready there.

    Gotta love the OSS usually-same-day-patch-cycle.

    Thumbs up, SuSe!

Slashdot Top Deals

Work without a vision is slavery, Vision without work is a pipe dream, But vision with work is the hope of the world.

Close