Groups | Search | Server Info | Login | Register

Groups > comp.os.linux.security > #714

Re: Vulnerability for Streaming Media users

From Richard Kettlewell <invalid@invalid.invalid>
Newsgroups comp.os.linux.security
Subject Re: Vulnerability for Streaming Media users
Date 2016-12-17 15:29 +0000
Organization terraraq NNTP server
Message-ID <87d1gq4lr8.fsf@LkoBDZeT.terraraq.uk> (permalink)
References <o32hbg$f3e$1@dont-email.me> <o33gos$6ac$1@dont-email.me>

Show all headers | View raw

Aragorn <thorongil@telenet.be> writes:
> Bobbie Sellers conveyed the  following to comp.os.linux.security...
>> The knowledgeable sorts who inhabit this Newsgroup can
>> discuss this at their leisure.
>> 
>> If your desktop runs a mainstream release of Linux, chances are you're
>> vulnerable.
>> 
>> <http://arstechnica.com/security/2016/12/fedora-and-ubuntu-0days-show-that-hacking-desktop-linux-is-now-a-thing/>

    The zero-day exploits, which Evans published on Tuesday, are the
    latest to challenge the popular conceit that Linux, at least in its
    desktop form, is more immune to the types of attacks that have
    felled Windows computers for more than a decade and have
    increasingly snared Macs in recent years.

Nobody who has been paying attention will share that particular conceit.
People have been identifying vulnerabilities in media and image codecs
for many years.

> From the article...
>
>     "This time, the exploit takes aim at a flaw in a software library
>     alternately known as Game Music Emu and libgme, which is used to
>     emulate music from game consoles. The two audio files are encoded in
>     the SPC music format used in the Super Nintendo Entertainment System
>     console from the 1990s. Both take aim at a heap overflow bug
>     contained in code that emulates the console's Sony SPC700 processor.
>     By changing the .spc extension to .flac and .mp3, GSteamer and Game
>     Music Emu automatically open them."
>
> Sounds to me like one needs to explicitly have those two libraries 
> installed, and I would wager that not everyone does.  And of course, 
> this being FLOSS rather than proprietary software, this vulnerability 
> will probably get fixed in no time. ;)

It’s one library.  The usual reason for installation would be as a
dependency of something else (either a media player or a media toolkit).
Consequently nearly half of Debian installs, as measured by popcon, have
it installed; the situation is probably similar in other distributions,
perhaps higher in desktop-focussed ones.

-- 
http://www.greenend.org.uk/rjk/

Back to comp.os.linux.security | Previous | NextPrevious in thread | Find similar

Thread

Vulnerability for Streaming Media users Bobbie Sellers <bliss@mouse-potato.com> - 2016-12-16 21:11 -0800
  Re: Vulnerability for Streaming Media users Aragorn <thorongil@telenet.be> - 2016-12-17 15:07 +0100
    Re: Vulnerability for Streaming Media users Richard Kettlewell <invalid@invalid.invalid> - 2016-12-17 15:29 +0000

csiph-web