Slashdot Mirror

← Back to Stories (view on slashdot.org)

GdkPixbuf Suffers Image Decoding Vulnerabilities

Posted by CowboyNeal on from the heads-up dept.

DNAspark99 writes "It seems Multiple vulnerabilities have been reported in GdkPixbuf, which can be exploited by malicious people to DoS (Denial of Service), and potentially compromise a vulnerable system. Personally, I wasn't concerned about this until I ran 'ldd firefox-bin | grep libgdk_pixbuf'" There's no official patch yet, but the article notes several Linux vendors have issued updates. Worth keeping an eye for those who use libgdk_pixbuf under other Unix-style operating systems as well.

42 of 291 comments (clear)

  1. Nothing to see here... by gnuman99 · · Score: 3, Insightful

    More bugs. More fixes. More patches. This is the software cycle...

    1. Re:Nothing to see here... by tehshen · · Score: 3, Funny

      What would you prefer? To stop the patches and fixes, you want no new bugs. To have no new bugs, the product won't evolve. If you want a moving-forward product, don't complain :)

      --
      Guy asked me for a quarter for a cup of coffee. So I bit him.
  2. gnome uses this by kinko · · Score: 4, Insightful

    If you're not aware, gnome2 uses this library, so any gtk2/gnome2 applications you use are probably linked against libgdk_pixbuf.

    update your systems...

    1. Re:gnome uses this by http · · Score: 4, Informative

      I tried "apt-get --dry-run --purge remove libgdk-pixbuf2 libgdk-pixbuf-gnome2" and the list of packages was _long_. I do not have a gnome-heavy system, either. Some choice selections:
      bonobo
      galeon
      gdm
      gnome-control-center
      gnome-help
      gnome-panel
      gnome-session
      gnome-utils
      libgnomeprint-bin
      nautilus
      rep-gtk-gnome
      sawfish-gnome
      xchat-gnome

      It's a biggie, all right.

      --
      If opportunity came disguised as temptation, one knock would be enough.
      3^2 * 67^1 * 977^1
  3. Somebody is busy ... by crimethinker · · Score: 5, Insightful
    I think this is the fourth vulnerability related to image decoding I've seen in the past month or so. Methinks somebody is doing a thorough code review of open source image libraries, the stolen NT code (remember the Windows BMP vuln?), and, where source can't be obtained, thinking about where it might be vulnerable. I just wish people with that much determination would concentrate on fixing the bugs, instead of exploiting them ... so much wasted talent.

    sigh Time to tell the idealist in me to STFU.

    -paul

    --
    Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
    1. Re:Somebody is busy ... by Anonymous Coward · · Score: 5, Informative

      The one who found this vuln is Chris Evans, as known
      as the vsftpd author (http://vsftpd.beasts.org/), and
      here (http://scary.beasts.org/security/) are other bugs he found.

    2. Re:Somebody is busy ... by BeBoxer · · Score: 4, Insightful

      I just wish people with that much determination would concentrate on fixing the bugs, instead of exploiting them ... so much wasted talent.

      What we really need is a web page summarizing all the recent bugs in media decoding (mpg123 I think just had one) as a "how not to program" guide and then make it mandatory reading to get a sourceforge account. I think it's great folks are out looking for these bugs, but it's an embarrasement that there are this many being found so quickly. To me that indicates that there are a crapload of them out there.

      It makes me want to go on vacation for six months and do one upgrade when I get back. Instead of doing one a day for the next six months.

    3. Re:Somebody is busy ... by PitaBred · · Score: 3, Insightful

      The thing is, you now know about the vulnerability. I'd rather know about it and fix it than not know about it and let someone exploit it. It's a GOOD thing that people are finding these and reporting them. They'll found either way...

      --
      My blog. Good stuff (when I remember to update it). Read it.
    4. Re:Somebody is busy ... by ZuperDee · · Score: 3, Insightful

      I just wish people with that much determination would concentrate on fixing the bugs, instead of exploiting them ... so much wasted talent.

      Why should they?!? If I ask a question, why should I also have to provide an answer? That is a stupid attitude to have. If everyone who asked questions had the answers, there'd be no questions to ask.

      Likewise, why look a gift horse in the mouth when he points out a vulnerability like that? Exploiting is a different art from coding to many people. Maybe it just so happens that some people are better at seeing things that others don't catch?

      And don't blame the tools, either. I hear too often people saying things like "if only it were in Java instead of C++, this would not be a problem." A poor workman always blames his tools. A poor musician can ALWAYS say "if only I had a better instrument, I could be a better musician." One simple word for that: Balderdash.

    5. Re:Somebody is busy ... by iabervon · · Score: 3, Informative

      You need to write exploits in order to test whether you've actually fixed the bugs, and in order to determine whether the code is actually correct for some reason you're not seeing.

      It is often the case that support for some functionality which is buggy in one implementation will be buggy in other implementations as well, so it is pretty common in general for a lot of similar bugs to turn up at the same time.

  4. Re:What the hell by Anonymous Coward · · Score: 4, Insightful

    Well, they tend to be writing in C, and concerned about "performance". They thus leave out vital buffer checks. Given that computers are now 3000 times faster than when I was a lad, there's no excuse, any inefficiency is easily compensated for by the "ridiculous speed" of modern computers.

    Either learn to write safe C or switch to a safer language.

  5. There will always be vulnerabilities by 2forshow · · Score: 3, Interesting

    There will always be vulnerabilities. Since people can't produce perfect code there will always be a way for someone to make a flaw into a vulnerability. Therefore there will always be patches and updates(relating to security measures). The only way to stop these flaws from becoming an issue, like this one, is to stop crackers. And good luck with that.

    --
    Free Ipods it's for real check out Wired then go to: http://www.freeiPods.com/default.aspx?referer=8533
  6. Time to switch by Anonymous Coward · · Score: 4, Funny

    Time to switch. Take back the Web.

    Vote against shoddy software with your clicks.

  7. A challenge for search engines? by prestwich · · Score: 5, Interesting

    It strikes me that it would be a good use of any spare capacity some search engines might have to search for image headers on web sites, that are attempting to exploit these types of problems.

  8. Re:What the hell by pclminion · · Score: 4, Insightful
    Are the people who write graphics libraries just not trying very hard or something?

    Uhhh, no. It is simply "in vogue" to look for vulnerabilities in image format parsers at the moment. Is the trend not obvious?

    Soon all the major image libraries will have been examined, all the bugs fixed, and the security gurus will move on to other things. And we'll all benefit from that, because the code will be fixed.

    Bitching is counterproductive, don't you think?

  9. Not exploitable in Firefox by sppavlov · · Score: 5, Informative

    The only places using gdk-pixbuf in Firefox for loading images are all for loading images from your local machine. No from-the-network code paths use gdk-pixbuf.

    1. Re:Not exploitable in Firefox by sppavlov · · Score: 5, Informative

      Mozilla does not use gdk-pixbuf for drawing images -- stuart "pavlov" parmenter (mozilla image library owner)

    2. Re:Not exploitable in Firefox by sppavlov · · Score: 5, Informative

      We only use a single code path for rendering images. We only use gdk-pixbuf to decode GNOME images to find icons for mimetypes.

    3. Re:Not exploitable in Firefox by Mike+Shaver · · Score: 4, Informative

      Firefox uses gdkpixbuf for system MIME-type icons and window icons, which are loaded from the local system (GNOME icons or the firefox distribution). It does not use gdkpixbuf for decoding or displaying web-fetched images; it uses the Mozilla cross-platform image library (libpr0n), calling out to libpng, libjpeg and libgif as required underneath.

      Mike

    4. Re:Not exploitable in Firefox by asa · · Score: 4, Informative

      "So Firefox doesn't ever save an image file that was HTTP'd off the network to a cache directory and load it from disk as needed?"

      It uses libpr0n, Gecko's cross-platform rendering engine to load those images from disk. gdkpixbuf is not used for displaying remote content, even cached remote content.

      --Asa

    5. Re:Not exploitable in Firefox by macsuibhne · · Score: 3, Interesting

      Props to the Mozilla geeks for the naming scheme (this would have been mod points if I had any).

      Tony.

      --
      -- "Quis custodiet ipsos custodes?" -- Juvenal
    6. Re:Not exploitable in Firefox by Compenguin · · Score: 3, Informative

      Mozilla uses gdk-pixbuf via gtk to draw ui widgets, it uses libpr0n to render graphics in web pages. libpr0n runs on all platfors mozilla targets, gdk-pixbuf is a solution for gtk+ widget integration on X11.

    7. Re:Not exploitable in Firefox by TelJanin · · Score: 3, Informative

      Wow, libpr0n does exist. I thought it was just a joke.

  10. Yeah, I was worried too... by spoco2 · · Score: 5, Funny

    Last time I ran "ldd firefox-bin | grep libgdk_pixbuf". I was pretty worried that I had no frigging idea what the hell I was typing.

    1. Re:Yeah, I was worried too... by cyb97 · · Score: 4, Informative

      it's always uncool to run unknown commands that you've seen on slashdot ;-)

    2. Re:Yeah, I was worried too... by FooAtWFU · · Score: 4, Funny
      it's always uncool to run unknown commands that you've seen on slashdot ;-)


      Oh yeah? Well :(){ :|:& };: you too, buddy!

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
    3. Re:Yeah, I was worried too... by pclminion · · Score: 3, Informative

      It makes more sense when you format it differently. It's a shell script (sorry to post as text, can't get the indentation to work otherwise):

      :()
      {
      :|: &
      }
      :

      Basically, it defines a function called ":" which, when executed, calls itself recursively twice and puts itself into the background. The last ":" actually executes the function. Thus, one shell forks into two shells, those two shells fork into four shells, those four into eight, etc etc etc.

  11. Re:What the hell by Seq · · Score: 5, Insightful

    I find that alot of people I've worked with in software development have a "get it working, clean it up later" attitude. Usually basic error checking gets thrown in, but "hardcore" security often gets put aside in favour of other projects that need to be done. Thus, I think we end up with a fair amount of possibly shoddy code.

    I've never done an audit, because I'm trying to write good code, and it's all I can do to be as "productive" as the others.

    I don't think anybody seriously thinks "man, that could be a huge problem! well, nobody will notice".

    --
    -- Seq
  12. Re:What are you going to do? Mod me -1, flamebait? by ScArE2100 · · Score: 3, Informative

    Now your GNU/Hippie software is vulnverable what are you going to do about it?!

    ...patch it before the vulnerability is even announced... not six months later.

  13. Yawn by ChiralSoftware · · Score: 3, Insightful
    Maybe Slashdot should have a separate section for this? As I've said again and again, we will keep having these types of vulnerabilities until we start using languages with safe pointers and safe memory operations. NX bits, library loading location randomization help too.

    I was just using the Icesoft Java web browser and the Fluendo media player. These are both big applications written in 100% pure Java. They both don't have buffer overflows because Java doesn't have buffers (in the C sense). How many security holes do we need to see every week?

    1. Re:Yawn by LnxAddct · · Score: 3, Interesting

      The only slow programs in java are poorly implemented and use the Swing GUI toolkit in the wrong way. I personally like using Swing, and I use it efficiently, but in many cases the SWT toolkit by Eclipse will be jsut fine as well. SWT is a lighter, faster, toolkit that uses the native toolkit of the system. Java is extrememly fast, easily as fast as C++, if you need something faster then Java you should be using assembly. Read this. Also, the new JVMs by Sun have a feature called Hotspot, what this does is pretty much learn how your program works and adapts your program in real time to optimize it. What I mean is, the longer your program runs, the faster it gets because Hotspot learns what your program does more often and optimizes the bytecode in real time. You can not do this with native applications, itd be like rewriting the program on the fly without ever stopping it and having the effects take place instantly. This, along with no worries of buffer overflows, is a very good reason to use java. Java is a great language and any real coder knows that (just look at how many Apache projects are Java based), you'll only hear amateurs complain about java, just ignore them:)
      Regards,
      Steve

  14. To head it off at the pass... by Dirtside · · Score: 5, Informative

    There's a particular comment which we'll see about a thousand times on this thread alone, the gist of which will be, "See? Even open source has bugs/security holes! It's no better than Microsoft!"

    The reason we bash Microsoft for its bugs and security holes is not because they have bugs and holes; the reason is that Microsoft paints itself as the savior of computing, as software that will make your life infallibly better and easier, and along the way has made quite a lot of unethical business decisions. They basically brag about how uber they are, and then they release crappy software and frequently take forever to fix certain bugs (or simply never fix them -- e.g. PNG transparency in IE. What's it at, 3 years and counting? 4?).

    The guys who write open source stuff like GdkPixBuf, on the other hand, have not (to my knowledge) done these things. They are thus not deserving of scorn; they write software, release it, and say, "I wrote this because I needed it. If you want to try it out, here you go. Have fun; I don't promise anything."

    That's why we mock Microsoft for its bugs and not the GDK team.

    (To be fair, I'm certain that there are some OS projects whose developers are as arrogant as Microsoft, but they at least do not have the unethical business history Microsoft does, nor do they (still!) have a monopoly on desktop OSes that they continue to abuse to the detriment of everyone except themselves. It's one thing to be an asshole when you're nobody important; it's quite another when you have a great deal of power.)

    --
    "Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
  15. Not Remotely Exploitable in Firefox by asa · · Score: 5, Informative

    Firefox doesn't use gdk-pixbuf for drawing it's images. The only places using gdk-pixbuf in Firefox are loading a couple of images from your hard drive into the browser UI -- like the little Windows desktop icon that shows up in the download manager UI. This isn't remotely exploitable in Firefox.

    --Asa

  16. Re:What are you going to do? Mod me -1, flamebait? by temojen · · Score: 3, Interesting
    ... vulnverable what are you going to do about it?!

    Fix it.

    You can't, thats why your going to...

    Actually, we can, that's one of the main reasons for the existance of open source.

  17. Re:What the hell by cyb97 · · Score: 4, Insightful

    well eventhough the computers are zillion times faster, the datastructures they have to deal with have gotten zillion times bigger and/or more complex.
    Solving algorithm-deficiencies by throwing more iron at it is a short-term solution that is bound to come back and bite you in the tail sooner or later.

    Learn to write safe C and make sure your algorithms are sound and healthy.

  18. Re:What the hell by fitten · · Score: 3, Insightful

    There are a number of very easy things you can do while coding to make it more secure. For example, avoid any non- "n" string function. Just get used to typing and using strncat and snprintf and the like instead of the unchecked ones. Little things like that can actually go a pretty long way.

  19. Re:What the hell by Anonymous Coward · · Score: 3, Funny

    Personally I think C is much too slow.

    Relying on high level languages like C seems like a good idea because of development time and security but eventually program complexity will outpace hardware speed increases and you will be screwed!

    A real programmer doesn't need to waste resources on bloated handholding crap like "C". A real programmer uses assembly to avoid writing bloated code!

  20. Re:Overflow testing by jhoger · · Score: 5, Informative

    There is no algorithm to do what you are describing (google for "halting problem")

    You could run something like lint to catch common C errors.

    Better than that though is to profile your code actually running, to see buffer overflows and leaks that actually occur (google for valgrind).

    But most of these exploits are specially crafted input that produce buffer overflows. Typical input won't. So it is very hard to test for buffer overflows.

    The only 100% way to work these kinds of problems out is to write code in higher level languages, so at least you'll get an exception and fail closed in the case of a buffer overflow.

    But in C, the only way to resolve these problems is

    1) Don't write code with buffer overflows (hard)
    2) Find and fix buffer overflows in code review (harder)
    3) Write good enough negative test cases that you find the buffer overflows (really hard for even a good tester).

  21. Re:I thought Linux was immune to this... by gordo3000 · · Score: 3, Interesting

    if you didn't realize by reading the news in the last week, it doesn't matter how long your software is attacked, new bugs are found. Yes, guess what, even microsoft has vulnerabilities announced every month. Millions of eyes on the code can help and obviously it did. We didn't hear about the new virus out there in order to find out about this exploit, we just found out about this exploit. Millions of eyes don't prevent mistakes, they do help find them faster and patch them quicker. And of course, even this story is exactly what that is, they already have vendors with patches out for this problem.

    hm..... seems Micrsoft, even with all its monkey-pounding, still doesn't have a shot in hell with fixing problems as fast as the open source community does. I'll stick with the box that doesn't stay vulnerable for as long.

  22. Let me add: "Well Duh!" by Ayanami+Rei · · Score: 3, Interesting

    As long as it's not a RAW screendump or uncompressed TIFF file or something, there's going to be some interpretation of the file's content to produce the human-consumable output. And it'll be based on a parameterized command stream. And if the interpretation of those parameters is not handled rigourously, or if the system does not account for every possible combination of commands, well then you're ripe for an exploit.

    That's basically EVERY file format.

    Even text can be dangerous. Ever heard of a terminal or ANSI bomb? (scroll down in link).

    The only "safe" viewer is a hex editor. Or less (maybe, you get the idea).

    --
    THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
  23. Such apps exist... by Goonie · · Score: 3, Informative
    I've seen applications that test command-line apps for buffer overflows. They work, and have been used to detect potentially exploitable bugs. The general principle can be used to test other types of apps, though obviously you have to adapt the program for each type of program input.

    A more general prevention method is to use an environment that doesn't allow buffer overflows; as Java proponents never tire of pointing out, Java guards against this type of attack. There are C libraries which do similar things, IIRC; StackGuard was one such method, though it seems to haved faded into obscurity.

    As to your suggestion of a static source code check for unsafe programming practices, there are programs that do that too. GCC itself includes a number of warnings that pop up if you use inherently unsafe C library functions, like gets() (which is buffer overflow in a can...).

    --

    Any sufficiently advanced technology is indistinguishable from a rigged demo
    --Andy Finkel (J. Klass?)
  24. Very similar by FullCircle · · Score: 3, Interesting

    Isn't it a bit odd that these libraries are failing on both Windows and Linux?

    I wonder of someone has been stealing source code?

    --
    If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy. - James Madison