GdkPixbuf Suffers Image Decoding Vulnerabilities
DNAspark99 writes "It seems Multiple vulnerabilities have been reported in GdkPixbuf, which can be exploited by malicious people to DoS (Denial of Service), and potentially compromise a vulnerable system. Personally, I wasn't concerned about this until I ran 'ldd firefox-bin | grep libgdk_pixbuf'" There's no official patch yet, but the article notes several Linux vendors have issued updates. Worth keeping an eye for those who use libgdk_pixbuf under other Unix-style operating systems as well.
If you're not aware, gnome2 uses this library, so any gtk2/gnome2 applications you use are probably linked against libgdk_pixbuf.
update your systems...
sigh Time to tell the idealist in me to STFU.
-paul
Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
Well, they tend to be writing in C, and concerned about "performance". They thus leave out vital buffer checks. Given that computers are now 3000 times faster than when I was a lad, there's no excuse, any inefficiency is easily compensated for by the "ridiculous speed" of modern computers.
Either learn to write safe C or switch to a safer language.
Uhhh, no. It is simply "in vogue" to look for vulnerabilities in image format parsers at the moment. Is the trend not obvious?
Soon all the major image libraries will have been examined, all the bugs fixed, and the security gurus will move on to other things. And we'll all benefit from that, because the code will be fixed.
Bitching is counterproductive, don't you think?
I find that alot of people I've worked with in software development have a "get it working, clean it up later" attitude. Usually basic error checking gets thrown in, but "hardcore" security often gets put aside in favour of other projects that need to be done. Thus, I think we end up with a fair amount of possibly shoddy code.
I've never done an audit, because I'm trying to write good code, and it's all I can do to be as "productive" as the others.
I don't think anybody seriously thinks "man, that could be a huge problem! well, nobody will notice".
-- Seq
well eventhough the computers are zillion times faster, the datastructures they have to deal with have gotten zillion times bigger and/or more complex.
Solving algorithm-deficiencies by throwing more iron at it is a short-term solution that is bound to come back and bite you in the tail sooner or later.
Learn to write safe C and make sure your algorithms are sound and healthy.