Zero-Days Hitting Fedora and Ubuntu Open Desktops To a World of Hurt

An anonymous reader writes: It's the year of the Linux desktop getting pwned. Chris Evans (not the red white and blue one) has released a number of linux zero day exploits, the most recent of which employs specially crafted audio files to compromise linux desktop machines. Ars Technica reports: "'I like to prove that vulnerabilities are not just theoretical -- that they are actually exploitable to cause real problems,' Evans told Ars when explaining why he developed -- and released -- an exploit for fully patched systems. 'Unfortunately, there's still the occasional vulnerability disclosure that is met with skepticism about exploitability. I'm helping to stamp that out.' Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them."

Re:That's why they're called BAD

[ilguido]

According to the Ubuntu manifest only Base and Good plugins are installed by default, like in most distros by the way.

Re:That's why they're called BAD

[gaiageek]

Found it on my Linux Mint 17 install as gstreamer0.10-plugins-bad in the software manager. That isn't to say it was installed by default, but I don't recall installing additional plugins.

Re:So where's that smug Linux dude?

[TheEden]

I think that post was more about msft turning w10 into software version of Orwell's 1984, rather than it being simply full of bugs (as if linux isn't full of bugs). And the actual shithow part of w10 is that there are cases when you install a correct driver for any (particullary old) hardware, it get rolled over by yet another update, so you basically forced to unfuck the system wherever microsoft decides to "enchance your user expirience" (basically every 2-3 days or so). Not to mention all the obvious spyware bundle.

Re:So where's that smug Linux dude?

[ilguido]

They're usually installed through the ubuntu-restricted-addons package.

WRONG!

https://scarybeastsecurity.blogspot.pt/2016/11/0day-exploit-advancing-exploitation.html

"A powerful heap corruption vulnerability exists in the gstreamer decoder for the FLIC file format. Presented here is an 0day exploit for this vulnerability.
This decoder is generally present in the default install of modern Linux desktops, including Ubuntu 16.04 and Fedora 24. Gstreamer classifies its decoders as “good”, “bad” or “ugly”. Despite being quite buggy, and not being a format at all necessary on a modern desktop, the FLIC decoder is classified as “good”, almost guaranteeing its presence in default Linux installs."

confirmation here:
https://bugzilla.redhat.com/show_bug.cgi?id=1397441
gstreamer-plugins-good: Heap buffer overflow in FLIC decoder

Sheesh, I thought you guys (the parent post and the ones who upvoted) were geeks and into factual information! Oh right, this is slashdot...

Re:That's why they're called BAD

Can't speak for Mint, but in Ubuntu, during the install the install process you are given an option to install "3rd party software for graphics, wi-fi, flash, MP3 and other media". What this does, essentially, is mark ubuntu-restricted-addons for installation, which, among other things, brings the "bad" and "ugly" gstreamer plugins.

Many people are going to select this option, since it brings much needed functionality with it. In particular, a less knowledgeable user will probably look at that option and think that maybe it is a good idea to install that.

Now consider that Ubuntu is the most popular distro, and the one that tends to be suggested to new users. This means that it is VERY likely that many users have this package installed. Which makes it a much bigger problem than what "some people" are suggesting on this thread.