Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

GdkPixbuf Suffers Image Decoding Vulnerabilities

CowboyNeal posted about 10 years ago | from the heads-up dept.

Security 291

DNAspark99 writes "It seems Multiple vulnerabilities have been reported in GdkPixbuf, which can be exploited by malicious people to DoS (Denial of Service), and potentially compromise a vulnerable system. Personally, I wasn't concerned about this until I ran 'ldd firefox-bin | grep libgdk_pixbuf'" There's no official patch yet, but the article notes several Linux vendors have issued updates. Worth keeping an eye for those who use libgdk_pixbuf under other Unix-style operating systems as well.

cancel ×

291 comments

Sorry! There are no comments related to the filter you selected.

Poll Troll Toll (1)

PollTroll (764214) | about 10 years ago | (#10272119)

What's better..

GdkPixbuf [calcgames.org]
Images [calcgames.org]
Decoding [calcgames.org]
Sex with vulnerable Mares [calcgames.org]

Re:Poll Troll Toll (-1, Flamebait)

Anonymous Coward | about 10 years ago | (#10272489)

Personally, I wasn't concerned about this until I ran 'ldd firefox-bin | grep libgdk_pixbuf'

I really hate you fucking Firefox zealots and your 'OMG MY BROUSER IS TEH BESTEST AND TEH MSOT SECURE!!!'-attitude.

Every fucking GTK-program links against gdk_pixbuf.

Btw: This just proves that Gentoo sucks.

Farts? (-1, Troll)

Anonymous Coward | about 10 years ago | (#10272122)

1st farted

Re:Farts? (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#10272642)

back into the weeds, vlad!

frap (-1)

Anonymous Coward | about 10 years ago | (#10272126)

life as a vulnerability... mundane at times

.. oh boy (-1, Redundant)

Anonymous Coward | about 10 years ago | (#10272129)

Personally I welcome our new GdkPixbuf overlords!

Err.. FOSS security vulns ='(

Nothing to see here... (3, Insightful)

gnuman99 (746007) | about 10 years ago | (#10272134)

More bugs. More fixes. More patches. This is the software cycle...

Re:Nothing to see here... (3, Funny)

tehshen (794722) | about 10 years ago | (#10272176)

What would you prefer? To stop the patches and fixes, you want no new bugs. To have no new bugs, the product won't evolve. If you want a moving-forward product, don't complain :)

Re:Nothing to see here... (1, Informative)

Anonymous Coward | about 10 years ago | (#10272214)



Who says the parent poster is complaining?

The parent poster was just making an observation... he/she was not passing judgement.

Re:Nothing to see here... (2, Insightful)

cyb97 (520582) | about 10 years ago | (#10272454)

Trying to secondguess what the OP meant (ofcourse influenced by my own opinion), every bug or patch isn't really slashdot-worthy. This one certainly ain't groundbreaking news...

gnome uses this (4, Insightful)

kinko (82040) | about 10 years ago | (#10272142)

If you're not aware, gnome2 uses this library, so any gtk2/gnome2 applications you use are probably linked against libgdk_pixbuf.

update your systems...

Somebody is busy ... (5, Insightful)

crimethinker (721591) | about 10 years ago | (#10272145)

I think this is the fourth vulnerability related to image decoding I've seen in the past month or so. Methinks somebody is doing a thorough code review of open source image libraries, the stolen NT code (remember the Windows BMP vuln?), and, where source can't be obtained, thinking about where it might be vulnerable. I just wish people with that much determination would concentrate on fixing the bugs, instead of exploiting them ... so much wasted talent.

sigh Time to tell the idealist in me to STFU.

-paul

Re:Somebody is busy ... (5, Informative)

Anonymous Coward | about 10 years ago | (#10272218)

The one who found this vuln is Chris Evans, as known
as the vsftpd author (http://vsftpd.beasts.org/), and
here (http://scary.beasts.org/security/) are other bugs he found.

Re:Somebody is busy ... (4, Insightful)

BeBoxer (14448) | about 10 years ago | (#10272232)

I just wish people with that much determination would concentrate on fixing the bugs, instead of exploiting them ... so much wasted talent.

What we really need is a web page summarizing all the recent bugs in media decoding (mpg123 I think just had one) as a "how not to program" guide and then make it mandatory reading to get a sourceforge account. I think it's great folks are out looking for these bugs, but it's an embarrasement that there are this many being found so quickly. To me that indicates that there are a crapload of them out there.

It makes me want to go on vacation for six months and do one upgrade when I get back. Instead of doing one a day for the next six months.

Somebody is busy ...MSCE Revenge. (0)

Anonymous Coward | about 10 years ago | (#10272583)

"What we really need is a web page summarizing all the recent bugs in media decoding (mpg123 I think just had one) as a "how not to program" guide and then make it mandatory reading to get a sourceforge account."

All those "paper certificate", "not doing it for the love" are getting their revenge. Maybe next time you "loving it" guys will be a little nicer.

Re: Somebody is busy ... (1)

Alwin Henseler (640539) | about 10 years ago | (#10272250)

...fourth vulnerability related to image decoding I've seen in the past month...

Yes, yes, people are starting to notice...

Methinks somebody is doing a thorough code review (..)

Naahhh, it must be a global conspiracy! We just didn't find out yet who is The Evil One behind all this...

Re: Somebody is busy ... (1, Funny)

Anonymous Coward | about 10 years ago | (#10272569)

Who's behind it? Probably either Bush or Microsoft.

Re:Somebody is busy ... (3, Insightful)

PitaBred (632671) | about 10 years ago | (#10272254)

The thing is, you now know about the vulnerability. I'd rather know about it and fix it than not know about it and let someone exploit it. It's a GOOD thing that people are finding these and reporting them. They'll found either way...

Re:Somebody is busy ... (3, Insightful)

ZuperDee (161571) | about 10 years ago | (#10272263)

I just wish people with that much determination would concentrate on fixing the bugs, instead of exploiting them ... so much wasted talent.

Why should they?!? If I ask a question, why should I also have to provide an answer? That is a stupid attitude to have. If everyone who asked questions had the answers, there'd be no questions to ask.

Likewise, why look a gift horse in the mouth when he points out a vulnerability like that? Exploiting is a different art from coding to many people. Maybe it just so happens that some people are better at seeing things that others don't catch?

And don't blame the tools, either. I hear too often people saying things like "if only it were in Java instead of C++, this would not be a problem." A poor workman always blames his tools. A poor musician can ALWAYS say "if only I had a better instrument, I could be a better musician." One simple word for that: Balderdash.

Re:Somebody is busy ... (0)

Anonymous Coward | about 10 years ago | (#10272331)

I Just wish people with that much determination would concentrate on fixing the bugs, instead of exploiting them ...

These are bugs they are fixing...really nasty bugs that result in your computer being compomised which is probably one of the worst kind of bugs I can think of.

Re:Somebody is busy ... (0, Redundant)

bman08 (239376) | about 10 years ago | (#10272396)

I really dislike cockroaches and scorpions (it's the babies on the back thing), but the worst kinds bugs I can think of are earwigs. They compromise your ears!!!

What the hell (1, Interesting)

Anonymous Coward | about 10 years ago | (#10272146)

And here I was all like "my God, that's pathetic, Microsoft can't even make a JPEG parser without buffer overflows that compromise the user".

Now it seems this is universal, or at the very least universal outside the macintosh world. Are the people who write graphics libraries just not trying very hard or something?

Re:What the hell (4, Insightful)

Anonymous Coward | about 10 years ago | (#10272166)

Well, they tend to be writing in C, and concerned about "performance". They thus leave out vital buffer checks. Given that computers are now 3000 times faster than when I was a lad, there's no excuse, any inefficiency is easily compensated for by the "ridiculous speed" of modern computers.

Either learn to write safe C or switch to a safer language.

Re:What the hell (4, Insightful)

cyb97 (520582) | about 10 years ago | (#10272498)

well eventhough the computers are zillion times faster, the datastructures they have to deal with have gotten zillion times bigger and/or more complex.
Solving algorithm-deficiencies by throwing more iron at it is a short-term solution that is bound to come back and bite you in the tail sooner or later.

Learn to write safe C and make sure your algorithms are sound and healthy.

I was going to take your advice... (0)

Anonymous Coward | about 10 years ago | (#10272592)

But the new programing book I got, "Void *: If it works, it's done" recommended against it.

Re:What the hell (3, Funny)

Anonymous Coward | about 10 years ago | (#10272607)

Personally I think C is much too slow.

Relying on high level languages like C seems like a good idea because of development time and security but eventually program complexity will outpace hardware speed increases and you will be screwed!

A real programmer doesn't need to waste resources on bloated handholding crap like "C". A real programmer uses assembly to avoid writing bloated code!

Re:What the hell (0)

Anonymous Coward | about 10 years ago | (#10272653)

Yeah, I have to agree here.

Is the increase in development time and security really worth the speed hit you take for using new fangled languages like C?

I don't think so. Any project using thse trendy new languages popular with the PHBs is doomed to failure. I'm just going to keep using assembly forever!

Re:What the hell (2, Insightful)

pavon (30274) | about 10 years ago | (#10272609)

Graphic proccessing is one of the places where the speed is needed. Yes computers have gotten 1000 times faster but modern GUIs do 1000 times more graphics computations than they use to. Concider the fact that every single gtk/gnome widget drawn on your screen uses this library (yay themes) and it becomes apparrent that it has to be written for speed, so going to a high level language is not an option. There are many other reasons that GTK uses C, the main one being that while everyone is moving to high level languages, they are all moving to different ones. Therefore, GTK has to be written in C since that is what all the other languages can link against.

Second, it likely wasn't that they intentionally left out checks on purpose for speed, but just missed one - probably weren't think about someone attempting to DOS thier graphics library. It happens when you write code. I am a decent programmer and have never found an integer overflow or memory access error in any C code I wrote (after shipping it), but I am not arrogant enough to think that there are not any in there waiting to be discovered. It isn't insightfull to say that if everyone programmmed perfectly then we wouldn't have any bugs - it is unrealistic.

Lastly, even if you did use a high level language, the programmer that overlooked thisp problem in C would still overlook it in the higher level lanugage as well. It would likely result in an uncaught exception, and the program would likely terminate. So this would still be a bug - just not a security hole, since it couldn't result in executing arbitrary code.

Higher level lanugagues can help make a program more secure, and are a good idea for that reason. But as long as human beings are the ones writting code, mistakes and oversights will happen, and patches are something you will have to learn to live with.

Re:What the hell (1)

tehshen (794722) | about 10 years ago | (#10272202)

No, it's just that the people who find exploits are trying harder.

Re:What the hell (4, Insightful)

pclminion (145572) | about 10 years ago | (#10272241)

Are the people who write graphics libraries just not trying very hard or something?

Uhhh, no. It is simply "in vogue" to look for vulnerabilities in image format parsers at the moment. Is the trend not obvious?

Soon all the major image libraries will have been examined, all the bugs fixed, and the security gurus will move on to other things. And we'll all benefit from that, because the code will be fixed.

Bitching is counterproductive, don't you think?

Re:What the hell (0)

Anonymous Coward | about 10 years ago | (#10272248)

I may be talking out of my behind here, but -

from what I heard, buffer overflow exploits happen more often on x86 than PPC because of the different locations that PC and stack pointer have in memory.

I read that on the intarweb, so it must be true - can anyone with more assembly knowledge maybe enlighten us?

Re:What the hell (1)

downbad (793562) | about 10 years ago | (#10272249)

libgdk_pixbuf and mozilla run on OSX, too.

Re:What the hell (5, Insightful)

Seq (653613) | about 10 years ago | (#10272277)

I find that alot of people I've worked with in software development have a "get it working, clean it up later" attitude. Usually basic error checking gets thrown in, but "hardcore" security often gets put aside in favour of other projects that need to be done. Thus, I think we end up with a fair amount of possibly shoddy code.

I've never done an audit, because I'm trying to write good code, and it's all I can do to be as "productive" as the others.

I don't think anybody seriously thinks "man, that could be a huge problem! well, nobody will notice".

Re:What the hell (3, Insightful)

fitten (521191) | about 10 years ago | (#10272509)

There are a number of very easy things you can do while coding to make it more secure. For example, avoid any non- "n" string function. Just get used to typing and using strncat and snprintf and the like instead of the unchecked ones. Little things like that can actually go a pretty long way.

Re:What the hell (1, Funny)

Anonymous Coward | about 10 years ago | (#10272589)

Just get used to typing and using strncat and snprintf and the like instead of the unchecked ones.

I used those in a CS project for school once and I got the project back with my grade marked down for using those! Apparently the stupid ass TA who graded it didn't know what the hell those were and marked me down for misspelling some other function.

Hopefully his visa expired by now...good riddance...

What the hell-UML (0)

Anonymous Coward | about 10 years ago | (#10272615)

Maybe we should start with the higher levels instead of cowboy programming?

Re:What the hell (1)

fitten (521191) | about 10 years ago | (#10272529)

Yep... pretty common attitude... for exaxmple, all the junk in the Microsoft JPEG exploit thread the other day... It's pretty ironic.

Tons of one liner sayings come to mind...

Re:What the hell (0, Troll)

evslin (612024) | about 10 years ago | (#10272540)

Now it seems this is universal, or at the very least universal outside the macintosh world.

I fail to see the difference!

/ducks

There will always be vulnerabilities (4, Interesting)

2forshow (810467) | about 10 years ago | (#10272210)

There will always be vulnerabilities. Since people can't produce perfect code there will always be a way for someone to make a flaw into a vulnerability. Therefore there will always be patches and updates(relating to security measures). The only way to stop these flaws from becoming an issue, like this one, is to stop crackers. And good luck with that.

Re:There will always be vulnerabilities (0)

Anonymous Coward | about 10 years ago | (#10272637)

Or you could just stop using C.

It's not 1978 anymore, you can switch to a more advanced language some day...

Time to switch (4, Funny)

Anonymous Coward | about 10 years ago | (#10272219)

Time to switch. Take back the Web. [microsoft.com]

Vote against shoddy software with your clicks.

Re:Time to switch (0)

Anonymous Coward | about 10 years ago | (#10272438)

They didn't have a download for my platform!

What gives? When will they be releasing some ports?

Re:Time to switch (0)

Anonymous Coward | about 10 years ago | (#10272600)

dont hold your breath, Im still waiting for them to release a version of this 'linux' program. I've heard so much about this 'linux'. None of them will run on my XP machine tho. I hope it doesn't cost more than a couple hundred dollars.

What are you going to do? Mod me -1, flamebait? (-1, Troll)

Anonymous Coward | about 10 years ago | (#10272222)

HA HA HA HA! YOU LINUX ZEALOTS!
Everytime a little bug comes up in Microsoft you SAY JOIN THE CULLT! Use our KKK sponsored software and be a GNU/hippie! Now your GNU/Hippie software is vulnverable what are you going to do about it?! You can't, thats why your going to be nerd and mod me down! Thats ALL YOU CAN DO! I PISS IN YOUR FACE!

A PROUD WINDOWS USING TROLL!

Re:What are you going to do? Mod me -1, flamebait? (-1)

Bull999999 (652264) | about 10 years ago | (#10272265)

HA HA HA HA! YOU LINUX ZEALOTS! Everytime a little bug comes up in Microsoft you SAY JOIN THE CULLT! Use our KKK sponsored software and be a GNU/hippie! Now your GNU/Hippie software is vulnverable what are you going to do about it?! You can't, thats why your going to be nerd and mod me down! Thats ALL YOU CAN DO! I PISS IN YOUR FACE! A PROUD WINDOWS USING TROLL!

Since when did Mozilla become a part of Linux or a GNU project? Maybe some slipped it in while the kernel maintainer wasn't looking.

Re:What are you going to do? Mod me -1, flamebait? (4, Informative)

ScArE2100 (663201) | about 10 years ago | (#10272281)

Now your GNU/Hippie software is vulnverable what are you going to do about it?!

...patch it before the vulnerability is even announced... not six months later.

Re:What are you going to do? Mod me -1, flamebait? (0)

Anonymous Coward | about 10 years ago | (#10272678)

..patch it before the vulnerability is even announced... not six months later.

In case you did not notice: it has been announced ... where is the fix?

Re:What are you going to do? Mod me -1, flamebait? (0, Offtopic)

VoidWraith (797276) | about 10 years ago | (#10272375)

Damn Windows Zealots. Go back to your open areas and get out of our holes!

Re:What are you going to do? Mod me -1, flamebait? (3, Interesting)

temojen (678985) | about 10 years ago | (#10272475)

... vulnverable what are you going to do about it?!

Fix it.

You can't, thats why your going to...

Actually, we can, that's one of the main reasons for the existance of open source.

Re:What are you going to do? Mod me -1, flamebait? (0)

Anonymous Coward | about 10 years ago | (#10272567)

Mod him to +5 Interesting and make him regret posting this as AC.

A challenge for search engines? (5, Interesting)

prestwich (123353) | about 10 years ago | (#10272224)

It strikes me that it would be a good use of any spare capacity some search engines might have to search for image headers on web sites, that are attempting to exploit these types of problems.

Re:A challenge for search engines? (1)

subsentio (735377) | about 10 years ago | (#10272521)

Ha, ha, ha! Spare capacity. Good one!

Ah, nuts. (0, Funny)

Anonymous Coward | about 10 years ago | (#10272234)

I guess this means I should start using Windows.

/me ducks

That's okay... (0, Troll)

rackhamh (217889) | about 10 years ago | (#10272237)

... we can still blame Bill Gates:

Source: dictionary.com

bmp

Microsoft Windows bitmap format.
Bmp files may use run-length encoding. :P

Re:That's okay... (0, Offtopic)

rackhamh (217889) | about 10 years ago | (#10272305)

P.S. You, the person who modded me a troll. That's right, you!

Go get some sunshine. Play with a puppy dog. Rent a comedy (hint: look for boxes with bright colors).

You can thank me later. :)

Not exploitable in Firefox (5, Informative)

sppavlov (809156) | about 10 years ago | (#10272247)

The only places using gdk-pixbuf in Firefox for loading images are all for loading images from your local machine. No from-the-network code paths use gdk-pixbuf.

Re:Not exploitable in Firefox (0, Flamebait)

Kenja (541830) | about 10 years ago | (#10272278)

check me on this, but dont "from-the-network" images get downloaded to cache and then opened? If so then gdk-pixbuf would still be used to load the local cached image for display.

Re:Not exploitable in Firefox (5, Informative)

sppavlov (809156) | about 10 years ago | (#10272314)

Mozilla does not use gdk-pixbuf for drawing images -- stuart "pavlov" parmenter (mozilla image library owner)

Re:Not exploitable in Firefox (1)

Kenja (541830) | about 10 years ago | (#10272337)

"Mozilla does not use gdk-pixbuf for drawing images -- stuart "pavlov" parmenter (mozilla image library owner)"

Well ok then.

Re:Not exploitable in Firefox (1)

benwb (96829) | about 10 years ago | (#10272289)

I find it hard to believe that firefox is using more than one image rendering libray for each image type it supports.

Re:Not exploitable in Firefox (5, Informative)

sppavlov (809156) | about 10 years ago | (#10272349)

We only use a single code path for rendering images. We only use gdk-pixbuf to decode GNOME images to find icons for mimetypes.

Re:Not exploitable in Firefox (4, Informative)

Mike Shaver (7985) | about 10 years ago | (#10272367)

Firefox uses gdkpixbuf for system MIME-type icons and window icons, which are loaded from the local system (GNOME icons or the firefox distribution). It does not use gdkpixbuf for decoding or displaying web-fetched images; it uses the Mozilla cross-platform image library (libpr0n), calling out to libpng, libjpeg and libgif as required underneath.

Mike

Re:Not exploitable in Firefox (0, Flamebait)

poot_rootbeer (188613) | about 10 years ago | (#10272462)


So Firefox doesn't ever save an image file that was HTTP'd off the network to a cache directory and load it from disk as needed?

Re:Not exploitable in Firefox (4, Informative)

asa (33102) | about 10 years ago | (#10272608)

"So Firefox doesn't ever save an image file that was HTTP'd off the network to a cache directory and load it from disk as needed?"

It uses libpr0n, Gecko's cross-platform rendering engine to load those images from disk. gdkpixbuf is not used for displaying remote content, even cached remote content.

--Asa

FC2 fixed already? (0, Troll)

erroneus (253617) | about 10 years ago | (#10272261)

I just ran UP2DATE yesterday on that pixbuf package. I think it would be too coincidental that it came out just before the announcement. I think FC2 already has the fix out maybe?

Now if they'd get the new Mozilla package out there!

Yeah, I was worried too... (5, Funny)

spoco2 (322835) | about 10 years ago | (#10272264)

Last time I ran "ldd firefox-bin | grep libgdk_pixbuf". I was pretty worried that I had no frigging idea what the hell I was typing.

Re:Yeah, I was worried too... (2, Informative)

nbert (785663) | about 10 years ago | (#10272347)

Last time I ran "ldd firefox-bin | grep libgdk_pixbuf". I was pretty worried that I had no frigging idea what the hell I was typing.
That pretty much sums up my feelings when I read it. But the first line of the man page says it all:
ldd - print shared library dependencies

Re:Yeah, I was worried too... (4, Informative)

cyb97 (520582) | about 10 years ago | (#10272520)

it's always uncool to run unknown commands that you've seen on slashdot ;-)

Re:Yeah, I was worried too... (4, Funny)

FooAtWFU (699187) | about 10 years ago | (#10272597)

it's always uncool to run unknown commands that you've seen on slashdot ;-)


Oh yeah? Well :(){ :|:& };: you too, buddy!

Re:Yeah, I was worried too... (2, Informative)

pclminion (145572) | about 10 years ago | (#10272622)

:(){ :|:& };:

Son of a BITCH, I was just about to post that! GAH!

(Dear Slashdotters: The command shown above will not harm your computer, but will probably require a reboot to recover from it)

Yawn (3, Insightful)

ChiralSoftware (743411) | about 10 years ago | (#10272282)

Maybe Slashdot should have a separate section for this? As I've said again [slashdot.org] and again [slashdot.org] , we will keep having these types of vulnerabilities until we start using languages with safe pointers and safe memory operations. NX bits, library loading location randomization help too.

I was just using the Icesoft Java web browser [icesoft.com] and the Fluendo media player [fluendo.com] . These are both big applications written in 100% pure Java. They both don't have buffer overflows because Java doesn't have buffers (in the C sense). How many security holes do we need to see every week?

Re:Yawn (1)

Bull999999 (652264) | about 10 years ago | (#10272384)

How are the responsiveness of the Icesoft Java web browser and the Fluendo media player? I may get flamed for make this comment but I'm not too happy with the performance (speed wise) of Java application I've seen so far.

Responsiveness (1)

ChiralSoftware (743411) | about 10 years ago | (#10272519)

Strangely enough, the media player is great, and Icesoft's browser is just ok. It seems like parts of the browser get swapped out and every once in a while it can take it a while to swap them in, or maybe that's the GC running. I don't know. Icesoft's browser is definitely not as smooth as Konqueror, for example. But then again, Konqueror is a much more mature product.

I personally would rather have something a hair slower but a lot more secure. Also, if more desktop apps got ported to Java and Java got more real-world desktop use, the JVM would get tuned and adapted. There's no reason why it should be slow.

Re:Yawn (3, Interesting)

LnxAddct (679316) | about 10 years ago | (#10272584)

The only slow programs in java are poorly implemented and use the Swing GUI toolkit in the wrong way. I personally like using Swing, and I use it efficiently, but in many cases the SWT toolkit by Eclipse will be jsut fine as well. SWT is a lighter, faster, toolkit that uses the native toolkit of the system. Java is extrememly fast, easily as fast as C++, if you need something faster then Java you should be using assembly. Read this [sun.com] . Also, the new JVMs by Sun have a feature called Hotspot, what this does is pretty much learn how your program works and adapts your program in real time to optimize it. What I mean is, the longer your program runs, the faster it gets because Hotspot learns what your program does more often and optimizes the bytecode in real time. You can not do this with native applications, itd be like rewriting the program on the fly without ever stopping it and having the effects take place instantly. This, along with no worries of buffer overflows, is a very good reason to use java. Java is a great language and any real coder knows that (just look at how many Apache projects are Java based), you'll only hear amateurs complain about java, just ignore them:)
Regards,
Steve

Amateurs my ass (1)

HBI (604924) | about 10 years ago | (#10272698)

On the desktop I don't want to put up with the load times of a VM and the fact that many applications are written to a particular VM, whether that be a particular point rev of Sun's JVM or Microsoft's. So much for write once, run anywhere. So how many JVMs do I have to put up with on my machine to realize this nirvana of no buffer overflows, exactly?

In regards to being an amateur, I was in this business when you were in diapers, if your email address is any indication. Put simply, if I know the end user application is in Java and requires a VM I avoid it like the plague.

I will well and truly laugh when an enterprising individual manages to successfully run arbitrary code inside a JVM again. Yes, it's happened before, and will happen again. Maybe it'll shut some of you amateurs who think that "because it's Java, it's secure" up.

Re:Yawn (2, Interesting)

Anonymous Coward | about 10 years ago | (#10272456)

Isn't there also the "D" programming language, which as far as I know, has many of the advantages of Java and C# (does not use unsafe pointers by default for instance) but has the advantage of producing proper compiled code.

The experience I have of "trying" to use Java programs of any size (I don't think I've come on a .NET one) has so far been very painful. They keep telling me how it is so much faster now, and how computers being so much faster using an interpreted language is not that bad, but that's just NOT how it is. I keep trying to run those programs, with the lates JVM and I keep feeling the agony of it all.

"D" on the other hand seems to be the natural evolution C/C++. It includes the nice features of the modern interpreted languages but compiles them into proper executables. It should definitely be considered by library writers (at least when it comes standard with gcc) as it would avoid a lot of these buffer problems.

Re:Yawn (0)

Anonymous Coward | about 10 years ago | (#10272504)

No one uses that stuff because Java takes at least 10x longer to load and 5x more memory.

Re:Yawn (0)

Anonymous Coward | about 10 years ago | (#10272571)

Mainly because the memory usage.
Many of us still use 128 mbytes of ram or even less...
I guess I would prefer using Haskell, as it's really compact (the language) and more easy to prove correctness

feeding troll, but... (0)

Anonymous Coward | about 10 years ago | (#10272669)

Honestly, "safe" languages only help so much. JRE is enormous--do you really want to bet your security on the absence of exploitable overflows inside it? And there's more to exploitability than buffer overflows.

I think a better tack is to _assume_ code will have exploitable vulnerabilities (obviously trying to avoid them, but acknowledging imperfection) and have the OS mitigate their impact. This is more or less the UNIX model. Large, multiuser systems, many of the users actively trying to mess things up (at universities, at least), and yet the thing keeps on ticking. I think SELinux, with its MACs, will bring us closer to this goal.

Re:Yawn (0)

Anonymous Coward | about 10 years ago | (#10272688)

I dont know why people keep telling that Java is the cure for all "security" problems. Maybe they are trying to convince their selfs. Garbage collected && type safe && "insert your favourite feature here" languages exist since the 70's, and Java is the worst among those kind of languagues (take a look at Lisp/O'Caml). There is no automatic solution for security. The JVM *does* have security issues too!

Security is always a problem.. (2, Insightful)

illusioned (733320) | about 10 years ago | (#10272295)

This is why I really hate when people start wars about one platform over another over security. No one is perfect, and errors like this will happen. The only real way to attempt to prevent flaws like this is more strict code reviews and more testing and debugging. Even those actions won't always find a problem like this because sometimes the problem is outside the bounds of the program's normal operation (ie invalid data in an image that wouldn't be found by testing with real images). All we can do is hope that there are more of us wearing white hats then there are those of us wearing black hats.

Re:Security is always a problem.. (2, Funny)

VoidWraith (797276) | about 10 years ago | (#10272402)

And that the people without hats stop clicking on the damn things. "Ooh, more free porn"

To head it off at the pass... (5, Informative)

Dirtside (91468) | about 10 years ago | (#10272303)

There's a particular comment which we'll see about a thousand times on this thread alone, the gist of which will be, "See? Even open source has bugs/security holes! It's no better than Microsoft!"

The reason we bash Microsoft for its bugs and security holes is not because they have bugs and holes; the reason is that Microsoft paints itself as the savior of computing, as software that will make your life infallibly better and easier, and along the way has made quite a lot of unethical business decisions. They basically brag about how uber they are, and then they release crappy software and frequently take forever to fix certain bugs (or simply never fix them -- e.g. PNG transparency in IE. What's it at, 3 years and counting? 4?).

The guys who write open source stuff like GdkPixBuf, on the other hand, have not (to my knowledge) done these things. They are thus not deserving of scorn; they write software, release it, and say, "I wrote this because I needed it. If you want to try it out, here you go. Have fun; I don't promise anything."

That's why we mock Microsoft for its bugs and not the GDK team.

(To be fair, I'm certain that there are some OS projects whose developers are as arrogant as Microsoft, but they at least do not have the unethical business history Microsoft does, nor do they (still!) have a monopoly on desktop OSes that they continue to abuse to the detriment of everyone except themselves. It's one thing to be an asshole when you're nobody important; it's quite another when you have a great deal of power.)

Re:To head it off at the pass... (0)

Anonymous Coward | about 10 years ago | (#10272414)

But, to be fair, there are many who run around claiming that oss is inherently more secure than closed source software. While I agree it is silly to blame the developers themselves, I think it is valid to make the point that some oss advocates are wrong.

Who do you mean by "we"? (0)

Anonymous Coward | about 10 years ago | (#10272448)

You certainly don't speak for me, schizo.

Re:To head it off at the pass... (1)

bob65 (590395) | about 10 years ago | (#10272665)

There's a particular comment which we'll see about a thousand times on this thread alone, the gist of which will be, "See? Even open source has bugs/security holes! It's no better than Microsoft!"

Um, actually I haven't seen it once in this thread yet. You sure this is the right thread?

Re:To head it off at the pass... (2, Informative)

LordP (96602) | about 10 years ago | (#10272680)

I just wanted to point out that the lack of support for PNG Transparency in Internet Explorer is NOT a bug - according to the spec [libpng.org] , it's optional...
Viewers can support transparency control partially, or not at all.
(Note: I'm not pro-Windows, I use Slackware [slackware.com] on a daily basis, but I'm just tired of people claiming the above as a bug)

crowded theater (1)

Doc Ruby (173196) | about 10 years ago | (#10272309)

We're not going to see the open source to a universal buffer object, with complete bounds checking, that every single buffer-requiring codepath calls, any time soon. So how about a "security watch" object that checks a specifiable URL for security announcements, which sends a message to a DB that notifies the sysadmin of security announcements, from warnings to patches? The DB could be set with alternate URLs, the watch object could require corroboration from multiple sources, the site policy could default to autoinstaling patches with certain signatures. Everyone talking about "white worms" that spread patches would want this infrastructure, which could be remotely administered under support contracts. Like a 21st Century fire alarm, calling a robot fire department.

Re:crowded theater (1)

ScrewMaster (602015) | about 10 years ago | (#10272447)

Which would probably work just fine as long as your fire department wasn't known as Microsoft.

Re:crowded theater (1)

Doc Ruby (173196) | about 10 years ago | (#10272538)

That's the idea: take the promise of Microsoft Update, and deliver it with a dependable, decentralized infrastructure plugged into the community. Even in NYC a century ago, when firefighters were private companies contracted by individual insurance companies to protect individual buildings, the landlords didn't own the fire companies, even though it was apparently in their best interest. That model eventually stabilized into the government organized volunteer force now cooperatively covering all buildings in the city, without any direct payments, although the system is subsidized by both the insurance business and the landlords.

shit.. (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#10272355)

GNAA and suppO8t [goat.cx]

It would be useful... (2, Interesting)

Quixote (154172) | about 10 years ago | (#10272370)

It would be useful if someone could post the sourcecode snippets, and show exactly how these vulnerabilities was caused. This is the advantage of OSS: you can dig into the sources and analyze them completely.

--
A neighborhood's tale [elmwoodstrip.com]

Not Remotely Exploitable in Firefox (5, Informative)

asa (33102) | about 10 years ago | (#10272387)

Firefox doesn't use gdk-pixbuf for drawing it's images. The only places using gdk-pixbuf in Firefox are loading a couple of images from your hard drive into the browser UI -- like the little Windows desktop icon that shows up in the download manager UI. This isn't remotely exploitable in Firefox.

--Asa

strace time (1)

wurp (51446) | about 10 years ago | (#10272506)

Sounds like time to strace Firefox and search for calls to gdk-pixbuf functions. I am on a shitty winders machine right now or I would do it myself.

Security (0, Troll)

Anonymous Coward | about 10 years ago | (#10272407)

Mac OS X > *

so much for linux being better... (0)

Anonymous Coward | about 10 years ago | (#10272483)

...looks like linux suffers the same issues that MS OS's do, so lets hear how evil Linux is, and how it should be destroyed before it destroys the world!!!! ....or, we can all act like adults and face that no OS is perfect and all OS's are written by PEOPLE that do make mistakes!!!

Oh joy! (0, Flamebait)

1_interest_1 (805383) | about 10 years ago | (#10272559)

Damn people, come on!

First we bitched at Microsoft for being so lame, but we can't share the same sentiment with an open source project?

Wankers!

Overflow testing (2, Insightful)

phorm (591458) | about 10 years ago | (#10272605)

How hard would it be to write a program that could be used to test apps against buffer overflow errors. This should be given the source of the app, where one could exclude various procedures (i.e. when the calling procecedure already tests for overflow).

Difficult, impossible. Helpful or useless?

I'd imagine that with such tools hackers could also test your code for overflows, but if it became mainstream to hardcore test for such things then perhaps they wouldn't have the opportunity.

deja-vu (0, Redundant)

Performer Guy (69820) | about 10 years ago | (#10272616)

I have a strange feeling of deja-vu, but something's different, almost like they've hacked the matrix, hmm... that's it! They've hacked reality to move a the vulnerability that was found in Windows only days ago.

This is getting serious, somebody check the windows, quick!

Blargh (-1, Flamebait)

Anonymous Coward | about 10 years ago | (#10272691)

Of course.

Windows Vulnerability: OMG FIREFOX 4EVER!!!!!

Open Source Vulnerability: Oh, it's normal for software to have bugs!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?