Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Days Hitting Fedora and Ubuntu Open Desktops To a World of Hurt (arstechnica.com)

Posted by BeauHD on from the rock-em-sock-em-robots dept.

An anonymous reader writes: It's the year of the Linux desktop getting pwned. Chris Evans (not the red white and blue one) has released a number of linux zero day exploits, the most recent of which employs specially crafted audio files to compromise linux desktop machines. Ars Technica reports: "'I like to prove that vulnerabilities are not just theoretical -- that they are actually exploitable to cause real problems,' Evans told Ars when explaining why he developed -- and released -- an exploit for fully patched systems. 'Unfortunately, there's still the occasional vulnerability disclosure that is met with skepticism about exploitability. I'm helping to stamp that out.' Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them."

11 of 164 comments (clear)

  1. Re:That's why they're called BAD by ilguido · · Score: 4, Informative

    According to the Ubuntu manifest only Base and Good plugins are installed by default, like in most distros by the way.

  2. Re:So where's that smug Linux dude? by ilguido · · Score: 3, Informative

    I wonder what he'd have to say to Chris Evans.

    That this is a bit disingenuous: the statement "GStreamer, a media framework that by default ships with many mainstream Linux distributions" is true, but the mentioned exploit does not requires just GStreamer, but a plugin from the "Bad" set, which is usually not installed by default in Linux distros.

  3. Re:That's why they're called BAD by gaiageek · · Score: 4, Informative

    Found it on my Linux Mint 17 install as gstreamer0.10-plugins-bad in the software manager. That isn't to say it was installed by default, but I don't recall installing additional plugins.

    --
    www.gaiageek.com
  4. Re:So where's that smug Linux dude? by TheEden · · Score: 4, Informative

    I think that post was more about msft turning w10 into software version of Orwell's 1984, rather than it being simply full of bugs (as if linux isn't full of bugs). And the actual shithow part of w10 is that there are cases when you install a correct driver for any (particullary old) hardware, it get rolled over by yet another update, so you basically forced to unfuck the system wherever microsoft decides to "enchance your user expirience" (basically every 2-3 days or so). Not to mention all the obvious spyware bundle.

  5. Not really anything new by Zombie+Ryushu · · Score: 3, Informative

    The idea that Linux might or does have security vulnerabilities is not anything remotely new. I sometimes file five bug reports a day on patches for things like this dealing with Debian, Rosa, Mageia, Fedora, and Suse. I just file the bugs, its up to the Distro Maintainers to read what I post and act on them. Sometimes they mark it as invalid, a Duplicate, already fixed, or Works for me.

    Other times I get a patched, or upgraded package in 24-48 hours.

    If you see a CVE of something, post it to your relevant bugzilla, and not just one, always provide the CVE and a URL to where you got the CVE From if at all possible. Don't stick your head in the sand and say its not your problem. Keep in mind the world we live in today.

  6. Re:So where's that smug Linux dude? by phayes · · Score: 3, Informative

    "usually not installed by default in Linux distros" Really?

    The Vanilla Ubuntu 16.04.1 desktop image I have at hand shows that it they are installed by default:

    ubuntu@ubuntu16:~$ dpkg --get-selections | grep gstreamer | grep bad
    gstreamer1.0-plugins-bad:amd64 install
    gstreamer1.0-plugins-bad-faad:amd64 install
    gstreamer1.0-plugins-bad-videoparsers:amd64 install
    libgstreamer-plugins-bad1.0-0:amd64 install

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  7. Re:So where's that smug Linux dude? by ilguido · · Score: 4, Informative

    They're usually installed through the ubuntu-restricted-addons package.

  8. WRONG! by Anonymous Coward · · Score: 4, Informative

    https://scarybeastsecurity.blogspot.pt/2016/11/0day-exploit-advancing-exploitation.html

    "A powerful heap corruption vulnerability exists in the gstreamer decoder for the FLIC file format. Presented here is an 0day exploit for this vulnerability.
    This decoder is generally present in the default install of modern Linux desktops, including Ubuntu 16.04 and Fedora 24. Gstreamer classifies its decoders as “good”, “bad” or “ugly”. Despite being quite buggy, and not being a format at all necessary on a modern desktop, the FLIC decoder is classified as “good”, almost guaranteeing its presence in default Linux installs."

    confirmation here:
    https://bugzilla.redhat.com/show_bug.cgi?id=1397441
    gstreamer-plugins-good: Heap buffer overflow in FLIC decoder

    Sheesh, I thought you guys (the parent post and the ones who upvoted) were geeks and into factual information! Oh right, this is slashdot...

  9. Re:That's why they're called BAD by Anonymous Coward · · Score: 5, Informative

    Can't speak for Mint, but in Ubuntu, during the install the install process you are given an option to install "3rd party software for graphics, wi-fi, flash, MP3 and other media". What this does, essentially, is mark ubuntu-restricted-addons for installation, which, among other things, brings the "bad" and "ugly" gstreamer plugins.

    Many people are going to select this option, since it brings much needed functionality with it. In particular, a less knowledgeable user will probably look at that option and think that maybe it is a good idea to install that.

    Now consider that Ubuntu is the most popular distro, and the one that tends to be suggested to new users. This means that it is VERY likely that many users have this package installed. Which makes it a much bigger problem than what "some people" are suggesting on this thread.

  10. Re: Play Audio on Linux? by Sarten-X · · Score: 3, Informative

    Have you not considered the possibility that the developer wanted different runtime guarantees than the standard library sort provided?

    Yes, I have, and find it extremely unlikely that the programmer had any idea what he was doing. Mostly that analysis comes from the knowledge that the particular software package was an interface for a low-speed IO device, and could have probably have performed just fine if it relied on a bubble sort. Then again, I've also worked with the programmer responsible for that particular package, and it wouldn't surprise me to find that he had actually written his own bubble sort...

    There are very good reasons to use something other than the bog standard quicksort with a heap sort fallback (aka introsort) in a lot of scenarios, be they server services or even games.

    That's not really disputed, but there are third-party libraries that provide many sorting options, without having to write (and debug, and maintain) it yourself. If you have a very good reason to use a particular algorithm, find a library that provides it.

    For either games or server services, that standard library introsort would never be used if I was head of the development team. No chance in hell does it perform better than radix sort (for game scenarios) or has the best possible worst case runtime (for server services.) Its a complete no-no to use it.

    It sounds like you don't really know much about data processing scenarios. I once had a mentor who said something to the effect of "If you're thinking about your sorting, you're doing something wrong". The reality is that except for the most demanding applications (like rendering on the GPU), the programmer shouldn't need to think about what sorting algorithm is being used. Rather, the programmer's primary concern should be writing clean and maintainable software, and leave the exact implementation to someone else, who only needs to write according to an API specification. If that spec includes performance targets, then it will require particular algorithms. Otherwise, anything reasonably efficient will do the job, and it becomes a point of testing to compare different libraries for required functionality.

    For example, let's consider the high-speed sorting used to render a 3D game world. The game programmer just needs to build the world in the game engine, and the engine will handle the sorting. The engine programmer only needs to worry about getting the data from the game library to the renderer, and the renderer will handle the sorting. The render engine programmer finally has to think about sorting algorithms... but his choices are driven primarily by the data structures present and the hardware optimization available, which may drastically change the run times of algorithms. With the appropriate hardware available, the render engine may pass off sorting to the GPU, using some of the SIMD processing capability to (for example) run a Batcher sort, rather than a radix sort on the CPU. I am told that's actually what nVidia's "game-ready" drivers do: They forcibly replace a game's poorly-optimized code with equivalents that use nVidia's hardware more effectively.

    On the server side, I will refer to another aphorism: "Premature optimization is the root of all evil". If using a custom sorting method means moving data around outside of your database, you're not going to get a performance improvement. If you're concerned about worst-case performance because you might see it in real use, you should be thinking about security, not performance. If you're optimizing the application to improve user load performance, it's usually cheaper to just buy more hardware and run more back-end servers. In short, sorting is rarely the most effective target for optimization, so it's generally not worth the cost to improve, when efforts could be focused elsewhere.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  11. Re: Play Audio on Linux? by arth1 · · Score: 3, Informative

    In some cases, a complete sort isn't needed either, just a pigeonholing routine with adjustable bucket sizes. Using a full sort routine can then be very much slower than needed.

    But what the GP post alluded at is that the interdependencies of 3rd party libraries can be humongous. It may be easy to "just" link with a library that provides a small routine, but when that in turn pulls in 10 other libraries, which in turn pull in 20 more, it becomes both a dependency nightmare and bad bloat.
    So in some cases, it pays off to write your own equivalent or link with an .a, even if it means you have to recompile your code to fix security holes instead of automatically get it with a library.
    If you single it out in your own .so, at least you won't have to rebuild all, but just that ,so