Groups | Search | Server Info | Login | Register

Groups > comp.os.linux.security > #713

Re: Vulnerability for Streaming Media users

From Aragorn <thorongil@telenet.be>
Newsgroups comp.os.linux.security
Subject Re: Vulnerability for Streaming Media users
Date 2016-12-17 15:07 +0100
Organization A noiseless patient Spider
Message-ID <o33gos$6ac$1@dont-email.me> (permalink)
References <o32hbg$f3e$1@dont-email.me>

Show all headers | View raw

On Saturday 17 December 2016 06:11, Bobbie Sellers conveyed the 
following to comp.os.linux.security...

> Hi readers and typers,
> The knowledgeable sorts who inhabit this Newsgroup can
> discuss this at their leisure.
> 
> If your desktop runs a mainstream release of Linux, chances are you're
> vulnerable.
> 
> <http://arstechnica.com/security/2016/12/fedora-and-ubuntu-0days-show-that-hacking-desktop-linux-is-now-a-thing/>

From the article...

    "This time, the exploit takes aim at a flaw in a software library
    alternately known as Game Music Emu and libgme, which is used to
    emulate music from game consoles. The two audio files are encoded in
    the SPC music format used in the Super Nintendo Entertainment System
    console from the 1990s. Both take aim at a heap overflow bug
    contained in code that emulates the console's Sony SPC700 processor.
    By changing the .spc extension to .flac and .mp3, GSteamer and Game
    Music Emu automatically open them."

Sounds to me like one needs to explicitly have those two libraries 
installed, and I would wager that not everyone does.  And of course, 
this being FLOSS rather than proprietary software, this vulnerability 
will probably get fixed in no time. ;)

Nothing man-made is ever going to be perfect, courtesy of the 
fallibility of the species doing the creating.  In addition to that, 
certain individuals and/or organizations also engage in deliberate 
attempts to exploit weaknesses in the software ─ whether out of concern, 
as a proof of concept, or whether so as to make a case for their 
commercially sold "software protection suites".

Another aspect is that the more GNU/Linux gains in popularity, the more 
truly malevolent people will be trying to exploit it by finding 
weaknesses ─ criminals, alphabet soup agency spooks, you name it.  
That's a given.

Lastly, Ars Technica is pretty decent for a mainstream news source, but 
most of the times, the headlines of such news are deliberately 
misleading out of sensationalism.  

An example of this would be the news that appeared recently about the 
initramfs vulnerability, which was advertised in most mainstream media 
along the lines of "Hackers can gain access to your system by a 
vulnerability in <mumble>".  That's misleading because, no, they 
couldn't. 

One needs physical access to the machine in order to gain root access 
that way.  Nobody on the internet is going to be able to exploit that.  
But the headline drew more readers onto the article, and that was the 
sole intent.

Humans are very good at lying to each other.  And why wouldn't they be?  
Most of them are equally good at lying to themselves, and they're not 
even aware of it. ;)

-- 
= Aragorn =

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Vulnerability for Streaming Media users Bobbie Sellers <bliss@mouse-potato.com> - 2016-12-16 21:11 -0800
  Re: Vulnerability for Streaming Media users Aragorn <thorongil@telenet.be> - 2016-12-17 15:07 +0100
    Re: Vulnerability for Streaming Media users Richard Kettlewell <invalid@invalid.invalid> - 2016-12-17 15:29 +0000

csiph-web