Slashdot Mirror


GdkPixbuf Suffers Image Decoding Vulnerabilities

DNAspark99 writes "It seems Multiple vulnerabilities have been reported in GdkPixbuf, which can be exploited by malicious people to DoS (Denial of Service), and potentially compromise a vulnerable system. Personally, I wasn't concerned about this until I ran 'ldd firefox-bin | grep libgdk_pixbuf'" There's no official patch yet, but the article notes several Linux vendors have issued updates. Worth keeping an eye for those who use libgdk_pixbuf under other Unix-style operating systems as well.

7 of 291 comments (clear)

  1. gnome uses this by kinko · · Score: 4, Insightful

    If you're not aware, gnome2 uses this library, so any gtk2/gnome2 applications you use are probably linked against libgdk_pixbuf.

    update your systems...

  2. Somebody is busy ... by crimethinker · · Score: 5, Insightful
    I think this is the fourth vulnerability related to image decoding I've seen in the past month or so. Methinks somebody is doing a thorough code review of open source image libraries, the stolen NT code (remember the Windows BMP vuln?), and, where source can't be obtained, thinking about where it might be vulnerable. I just wish people with that much determination would concentrate on fixing the bugs, instead of exploiting them ... so much wasted talent.

    sigh Time to tell the idealist in me to STFU.

    -paul

    --
    Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
    1. Re:Somebody is busy ... by BeBoxer · · Score: 4, Insightful

      I just wish people with that much determination would concentrate on fixing the bugs, instead of exploiting them ... so much wasted talent.

      What we really need is a web page summarizing all the recent bugs in media decoding (mpg123 I think just had one) as a "how not to program" guide and then make it mandatory reading to get a sourceforge account. I think it's great folks are out looking for these bugs, but it's an embarrasement that there are this many being found so quickly. To me that indicates that there are a crapload of them out there.

      It makes me want to go on vacation for six months and do one upgrade when I get back. Instead of doing one a day for the next six months.

  3. Re:What the hell by Anonymous Coward · · Score: 4, Insightful

    Well, they tend to be writing in C, and concerned about "performance". They thus leave out vital buffer checks. Given that computers are now 3000 times faster than when I was a lad, there's no excuse, any inefficiency is easily compensated for by the "ridiculous speed" of modern computers.

    Either learn to write safe C or switch to a safer language.

  4. Re:What the hell by pclminion · · Score: 4, Insightful
    Are the people who write graphics libraries just not trying very hard or something?

    Uhhh, no. It is simply "in vogue" to look for vulnerabilities in image format parsers at the moment. Is the trend not obvious?

    Soon all the major image libraries will have been examined, all the bugs fixed, and the security gurus will move on to other things. And we'll all benefit from that, because the code will be fixed.

    Bitching is counterproductive, don't you think?

  5. Re:What the hell by Seq · · Score: 5, Insightful

    I find that alot of people I've worked with in software development have a "get it working, clean it up later" attitude. Usually basic error checking gets thrown in, but "hardcore" security often gets put aside in favour of other projects that need to be done. Thus, I think we end up with a fair amount of possibly shoddy code.

    I've never done an audit, because I'm trying to write good code, and it's all I can do to be as "productive" as the others.

    I don't think anybody seriously thinks "man, that could be a huge problem! well, nobody will notice".

    --
    -- Seq
  6. Re:What the hell by cyb97 · · Score: 4, Insightful

    well eventhough the computers are zillion times faster, the datastructures they have to deal with have gotten zillion times bigger and/or more complex.
    Solving algorithm-deficiencies by throwing more iron at it is a short-term solution that is bound to come back and bite you in the tail sooner or later.

    Learn to write safe C and make sure your algorithms are sound and healthy.