Slashdot Mirror
GdkPixbuf Suffers Image Decoding Vulnerabilities
DNAspark99 writes "It seems Multiple vulnerabilities have been reported in GdkPixbuf, which can be exploited by malicious people to DoS (Denial of Service), and potentially compromise a vulnerable system. Personally, I wasn't concerned about this until I ran 'ldd firefox-bin | grep libgdk_pixbuf'" There's no official patch yet, but the article notes several Linux vendors have issued updates. Worth keeping an eye for those who use libgdk_pixbuf under other Unix-style operating systems as well.
And here I was all like "my God, that's pathetic, Microsoft can't even make a JPEG parser without buffer overflows that compromise the user".
Now it seems this is universal, or at the very least universal outside the macintosh world. Are the people who write graphics libraries just not trying very hard or something?
There will always be vulnerabilities. Since people can't produce perfect code there will always be a way for someone to make a flaw into a vulnerability. Therefore there will always be patches and updates(relating to security measures). The only way to stop these flaws from becoming an issue, like this one, is to stop crackers. And good luck with that.
Free Ipods it's for real check out Wired then go to: http://www.freeiPods.com/default.aspx?referer=8533
It strikes me that it would be a good use of any spare capacity some search engines might have to search for image headers on web sites, that are attempting to exploit these types of problems.
--
A neighborhood's tale
Isn't there also the "D" programming language, which as far as I know, has many of the advantages of Java and C# (does not use unsafe pointers by default for instance) but has the advantage of producing proper compiled code.
.NET one) has so far been very painful. They keep telling me how it is so much faster now, and how computers being so much faster using an interpreted language is not that bad, but that's just NOT how it is. I keep trying to run those programs, with the lates JVM and I keep feeling the agony of it all.
The experience I have of "trying" to use Java programs of any size (I don't think I've come on a
"D" on the other hand seems to be the natural evolution C/C++. It includes the nice features of the modern interpreted languages but compiles them into proper executables. It should definitely be considered by library writers (at least when it comes standard with gcc) as it would avoid a lot of these buffer problems.
Fix it.
Actually, we can, that's one of the main reasons for the existance of open source.
The only slow programs in java are poorly implemented and use the Swing GUI toolkit in the wrong way. I personally like using Swing, and I use it efficiently, but in many cases the SWT toolkit by Eclipse will be jsut fine as well. SWT is a lighter, faster, toolkit that uses the native toolkit of the system. Java is extrememly fast, easily as fast as C++, if you need something faster then Java you should be using assembly. Read this. Also, the new JVMs by Sun have a feature called Hotspot, what this does is pretty much learn how your program works and adapts your program in real time to optimize it. What I mean is, the longer your program runs, the faster it gets because Hotspot learns what your program does more often and optimizes the bytecode in real time. You can not do this with native applications, itd be like rewriting the program on the fly without ever stopping it and having the effects take place instantly. This, along with no worries of buffer overflows, is a very good reason to use java. Java is a great language and any real coder knows that (just look at how many Apache projects are Java based), you'll only hear amateurs complain about java, just ignore them:)
Regards,
Steve
Wow. It nearly did, even running Cygwin on Windows XP. Weird stuff.
I entered it in cmd.exe (ie the MS command line interpreter) and nothing happened, it didn't complain about a wrong filename or command, either. Then I entered bash and pasted it, and not much happened either, it indicated that a new background job was started. When I closed bash, though, the computer stalled, the SysInternals task manager crashed (ouch) and mouse movement went sluggish. After a while, an error message came up remarking that Windows was out of virtual memory. I think that's what stopped the command, because at that point the system was back to normal and there was a bunch of error messages in the terminal.
Switch back to Slashdot's D1 system.
Props to the Mozilla geeks for the naming scheme (this would have been mod points if I had any).
Tony.
-- "Quis custodiet ipsos custodes?" -- Juvenal
disclaimer: my box would crash if I'd enter :(){ :|:& };:
I don't read replies by ACs.
What if somebody uploaded a browser theme that had a craftily designed texture or image?
:)
Wouldn't that fall under the banner of exploitable?
Are these theme files automatically associated for download with Firefox?
Could somebody build a webpage offering downloads of these, or even get one onto the theme manager listing?
All pretty far out, but at least possible.
This is like finding out a nasty flu is going round. There is an exploit in something I use, I do not feel comfortable using it even though normal circumstances mean I am immune.
I'll feel better once its cured
liqbase
This is why I really hate when people start wars about one platform over another over security. No one is perfect, and errors like this will happen.
It's not the errors like this that bothers me about Windows.
It's the design flaws that get exploited over and over again that are unique to Windows and they refuse to fix for political reasons. I mean, mail software that automatically executed scripts used to be a joke. We all knew that nobody would ever release a program like that, or if they did they'd remove that capability right away. The idea that someone would just keep patching specific instances of the general hole over and over again for seven years, well, if they did it on Star Trek you'd just laugh, it's like the super-intelligent AI that ran single-threaded... nobody would pull that kind of thing in real life!
if you didn't realize by reading the news in the last week, it doesn't matter how long your software is attacked, new bugs are found. Yes, guess what, even microsoft has vulnerabilities announced every month. Millions of eyes on the code can help and obviously it did. We didn't hear about the new virus out there in order to find out about this exploit, we just found out about this exploit. Millions of eyes don't prevent mistakes, they do help find them faster and patch them quicker. And of course, even this story is exactly what that is, they already have vendors with patches out for this problem.
hm..... seems Micrsoft, even with all its monkey-pounding, still doesn't have a shot in hell with fixing problems as fast as the open source community does. I'll stick with the box that doesn't stay vulnerable for as long.
As long as it's not a RAW screendump or uncompressed TIFF file or something, there's going to be some interpretation of the file's content to produce the human-consumable output. And it'll be based on a parameterized command stream. And if the interpretation of those parameters is not handled rigourously, or if the system does not account for every possible combination of commands, well then you're ripe for an exploit.
That's basically EVERY file format.
Even text can be dangerous. Ever heard of a terminal or ANSI bomb? (scroll down in link).
The only "safe" viewer is a hex editor. Or less (maybe, you get the idea).
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Isn't it a bit odd that these libraries are failing on both Windows and Linux?
I wonder of someone has been stealing source code?
If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy. - James Madison