GdkPixbuf Suffers Image Decoding Vulnerabilities
DNAspark99 writes "It seems Multiple vulnerabilities have been reported in GdkPixbuf, which can be exploited by malicious people to DoS (Denial of Service), and potentially compromise a vulnerable system. Personally, I wasn't concerned about this until I ran 'ldd firefox-bin | grep libgdk_pixbuf'" There's no official patch yet, but the article notes several Linux vendors have issued updates. Worth keeping an eye for those who use libgdk_pixbuf under other Unix-style operating systems as well.
There will always be vulnerabilities. Since people can't produce perfect code there will always be a way for someone to make a flaw into a vulnerability. Therefore there will always be patches and updates(relating to security measures). The only way to stop these flaws from becoming an issue, like this one, is to stop crackers. And good luck with that.
Free Ipods it's for real check out Wired then go to: http://www.freeiPods.com/default.aspx?referer=8533
It strikes me that it would be a good use of any spare capacity some search engines might have to search for image headers on web sites, that are attempting to exploit these types of problems.
Fix it.
Actually, we can, that's one of the main reasons for the existance of open source.
The only slow programs in java are poorly implemented and use the Swing GUI toolkit in the wrong way. I personally like using Swing, and I use it efficiently, but in many cases the SWT toolkit by Eclipse will be jsut fine as well. SWT is a lighter, faster, toolkit that uses the native toolkit of the system. Java is extrememly fast, easily as fast as C++, if you need something faster then Java you should be using assembly. Read this. Also, the new JVMs by Sun have a feature called Hotspot, what this does is pretty much learn how your program works and adapts your program in real time to optimize it. What I mean is, the longer your program runs, the faster it gets because Hotspot learns what your program does more often and optimizes the bytecode in real time. You can not do this with native applications, itd be like rewriting the program on the fly without ever stopping it and having the effects take place instantly. This, along with no worries of buffer overflows, is a very good reason to use java. Java is a great language and any real coder knows that (just look at how many Apache projects are Java based), you'll only hear amateurs complain about java, just ignore them:)
Regards,
Steve
Props to the Mozilla geeks for the naming scheme (this would have been mod points if I had any).
Tony.
-- "Quis custodiet ipsos custodes?" -- Juvenal
if you didn't realize by reading the news in the last week, it doesn't matter how long your software is attacked, new bugs are found. Yes, guess what, even microsoft has vulnerabilities announced every month. Millions of eyes on the code can help and obviously it did. We didn't hear about the new virus out there in order to find out about this exploit, we just found out about this exploit. Millions of eyes don't prevent mistakes, they do help find them faster and patch them quicker. And of course, even this story is exactly what that is, they already have vendors with patches out for this problem.
hm..... seems Micrsoft, even with all its monkey-pounding, still doesn't have a shot in hell with fixing problems as fast as the open source community does. I'll stick with the box that doesn't stay vulnerable for as long.
As long as it's not a RAW screendump or uncompressed TIFF file or something, there's going to be some interpretation of the file's content to produce the human-consumable output. And it'll be based on a parameterized command stream. And if the interpretation of those parameters is not handled rigourously, or if the system does not account for every possible combination of commands, well then you're ripe for an exploit.
That's basically EVERY file format.
Even text can be dangerous. Ever heard of a terminal or ANSI bomb? (scroll down in link).
The only "safe" viewer is a hex editor. Or less (maybe, you get the idea).
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Isn't it a bit odd that these libraries are failing on both Windows and Linux?
I wonder of someone has been stealing source code?
If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy. - James Madison