Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Days Hitting Fedora and Ubuntu Open Desktops To a World of Hurt (arstechnica.com)

Posted by BeauHD on from the rock-em-sock-em-robots dept.

An anonymous reader writes: It's the year of the Linux desktop getting pwned. Chris Evans (not the red white and blue one) has released a number of linux zero day exploits, the most recent of which employs specially crafted audio files to compromise linux desktop machines. Ars Technica reports: "'I like to prove that vulnerabilities are not just theoretical -- that they are actually exploitable to cause real problems,' Evans told Ars when explaining why he developed -- and released -- an exploit for fully patched systems. 'Unfortunately, there's still the occasional vulnerability disclosure that is met with skepticism about exploitability. I'm helping to stamp that out.' Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them."

1 of 164 comments (clear)

  1. Re:That's why they're called BAD by Anonymous Coward · · Score: 5, Informative

    Can't speak for Mint, but in Ubuntu, during the install the install process you are given an option to install "3rd party software for graphics, wi-fi, flash, MP3 and other media". What this does, essentially, is mark ubuntu-restricted-addons for installation, which, among other things, brings the "bad" and "ugly" gstreamer plugins.

    Many people are going to select this option, since it brings much needed functionality with it. In particular, a less knowledgeable user will probably look at that option and think that maybe it is a good idea to install that.

    Now consider that Ubuntu is the most popular distro, and the one that tends to be suggested to new users. This means that it is VERY likely that many users have this package installed. Which makes it a much bigger problem than what "some people" are suggesting on this thread.