Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Code Flaws Open Linux Apps to Attack



 By: Daniel Drew Turner
2004-09-17
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Code library problems could affect open-source programs that use the graphical user interface toolkit GTK+, causing a denial-of-service attack or an integer overflow.

Vulnerabilities in code libraries that could potentially affect open-source programs using the GUI toolkit GTK+ were reported on the security Web site Secunia on Thursday. As initially discovered by Chris Evans, these problems could theoretically be exploited to spark a DDoS (distributed denial of service) attack and otherwise compromise a computer system.

One vulnerability, which affects BMP image processing in applications, could be taken advantage of to create an infinite loop in the application. This could affect open-source image editors, for example.

Two others rely on handling errors while decoding images in the XPixMap (XPM) format developed in 1989. These vulnerabilities could be exploited by the use of an XPM image to create either an integer or buffer overflow, either of which could allow the execution of malicious code.

Resource Library:
Read more here about integer overflows.

One of these library routines, GdkPixBuf, is also used in Gnome 2. Gnome is a Unix and Linux desktop suite and development platform thats used by Sun in some Solaris desktops and in many Linux desktops.

A final vulnerability works in decoding ICO images, which are used to create and display favorites icons ("favicons") for Web sites. This also could allow a maliciously crafted ICO image to cause an integer overflow, which could cause the application to crash.

But according to Chris Hofmann, director of engineering at the Mozilla Foundation in Mountain View, Calif., the Firefox browser is not vulnerable to a security breach over the Internet, as was recently reported about Microsofts Internet Explorer.

Firefox and other browsers based on the open-source Mozilla code base use the affected libraries only for processing images from the users own computer. These browsers rely on a Mozilla cross-platform image library for decoding images downloaded from the Web.

"The way we treat vulnerabilities, if someone can get to your hard drive, they have the capability to compromise your system in any number of ways," Hofmann said. "The only way for an attack to occur in this case is for someone to get onto your hard drive and put one of these images there and get Firefox to open it." He said all productz based on Mozilla technology—which include the Mozilla Suite and Netscape 7.2—exhibit the same security level.

As of this writing, no updated versions of the affected libraries have been released.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page



  Reader Comments: Code Flaws Open Linux Apps to Attack
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Daniel Drew Turner
 


x}r㶲s\@♵M=Ҕlc,/K3ΤN"!1Ej//Oo<xӅ|x=NƖnt7F?;;~$rI56%SEo]"I~xC(`RϩIzNڶ? }~mksu;#|6%?w *s=NN5K&OxgMlM1eck`p,FcwM5d{9B ~56(CJevw ZwO~Vh;⻶eMGao}{Xe;7 CxKd/B(?F#c8CvN?<3τPcwҴ@Sա*v25v+n /@^c\ȁY{4_M*> L=iTVE;&3ítf?Dk N\^ ZSˆ螥{ɧ5f5I ` 1l{`<JHn6,!\ZJ`^<{mRUP)kJvo-to}rwNe,oFuޙRV5MQjy"G mݹжD^׵V贏.Iw?9N6 |'L R*rP8&ȇ Ԙ8jjg`a%JV4E; KHr gSd!XI#/YTU![c:./.۽鷎N/ۭd̲1<JEӀ Zvb!?XW㫧kqGN}!+|q!5M0\ܱ:֪o~;c!nj dPp9LwjT{dG/-2 ୋOg#dp$cisF {[-t[[9K }!zc)!,_ f kķLJo$SNE ;- uͪZ*G`K7SI_s릞;nZK}0[=RF&\ ДaC׼gMab&DJH7є6)`I˪ TI%嗋mQa>]R${3BDȍ`g@ BD4?CzC0&pt/\~5M.΃awWʲ9QY +K\M흚ޢG\z'fe..~zLqJjpX.B2iKB0pjꛛZ\MfzPb(7ZdL,5,ϘR7HA^gwtA`::)~ѧ|>5և$!|Бdmxq-Z.S+ЍEXn`vt&hQp{4ڭm= K!pI}xXS9&zt@۠h&r=kIׇ.[??  G`pn]& xk =`DVt#` V< 2/?>axs݀ܧP}-`sDo7eC97(w3JdN˕ },@FH~Ot"AђF *4 gsCX"K"'Aw;.VKŤ\*y"JM':ܱ;PKRx&,S,BV-KᗄPf%i2mlƪń(VFNl(0Vn)MG3{D&f+Lo>L>hQoĸGF6}Sˀ)4+9pPs >`|=50Xհݹ2|dܣ%}?p*JNCjVzv}f7MAV?Ty |9p‡9E#rUϚX 5<.&B#5wCʚLr畔UIY(iJSլ LoyC).EwJl㜜;F]s;tOִ=/OJb-yhֽ Uv/:A']օVPK=o@xC dX{K/,è+AJK_ji tsaŰ,Bl62ei[Fߪ%M*V+Wbzg\K(Ք6 [IF|x|3 kQDz3OD<}:LGtф0ې l1)>A TXäԪ)X[3T2.Q\&V,'`#z3F K׾,Y\Xϖ+75e"@0oʵ{Luzh< VȲO[:٤ RTw֐a6,ƴO~5<2eX]2XrGmٔAutn\ߓ09CL-g@:*XC c"Dk_(+ `kAܧ^۬"%w.Bāh.Z6[\So==>ئ\Q݀+ RN0m)Xk±&>,<<+ڂh0A  ~HLbР L@U.(L19r2b*XPTB$ᦼ6t_ĒbtXQ =j={e|h322 yㅤZ JLarheU-UjR9_V2:EƟQpV6ʼnG -q?@*:2 X\[ 0(E{h0 qDLҀJ 5^ƙd)baJ)?oZySYf0`9l* ?ŤD LkQsGŅ5 {é#fuMaFžJV-=oyE0s-fdaD4@w-bC-YM~gӭH5ysV9y]%fZ+a1yXUztqlFIdgf'ܪ+_L}ˀGeyM?ܛZIc="JL7O<sƃ~ٷ"y@*J=Dq?n216Ym/PG]մR ƗɘBÜOb >A֌M: ls0USfyr;Wk*k.zuz>@d􎯌B-s# dKc0g' Yn:AjAy̧`꙯fZMfO4D|\D"p-nōapzGdD"9zB*>|/I6a%|[JI) `uVDZ)~9HǞ1}]ܙe>t1G8*z)OcʜEo(SYmq'&F.҄^ߵ\f6}b;_&*|12SG)Z|b\).3zz`WPjjzL*>ɧMC 7PR[#^$}=֢,A$UP*jIIz$ :{\bke`WPF4`W&{ڜx&\_{sƋ(b)Q^rSW"&wD<7Ϩ;}Nb4PG }f qg5iv80xX N zW8pL\'eM=J6z7EM+v@l+J9wwGc&Q@Z#GYdQ.|eR)*`7$ɠK= j ;! |V n& ]wᳳI?`yAn8Q{OyKJ:^9 5YF>9:k5/ÏM1k0fhR`QfjmX#ǎFD/!B2.%g^|%V}Xhr!slP6h4'lCꏝ/A֭ Bf/3bB!|J9ͫ|1{~U*۞N #H1?g'q?Iȸt2Ti 'sXsw{ѺB ?݁Co5^Y =} DK{,qj;;?PzsRɕei:;SM`]yF<.ď-㇦;-QL.9Iߺ$/SP+=Ƃ'z =G7om\>eNx?HАXc=p>}挜00;z[oue's C7+۝t9niamǡ80Nt,4P$yUZ/WU $d% >Yx2&lul臵4/ Z-3'K-h np8?[&Pa2OZf]Ŭ0/rmԑ!Yl JE[_n:|2|@ *|k E41vHG7{I}:sˡRs;!%2w;SZDN%1w}.h`'`@܂וعa]) .w2g@]X l)KR*}X=&NO=(}ILNr0k_Bd dAWAgS Lv R]n! hpAh˄Ӕ׆.*Ob>@=zg[Qb\P?Z'IET_p&ǫǭ(5XێOH,Ilv= Rc58y6QRKZ?iNd?6#^r^xjl{";'g7XzhW+ĞG{yFd /6r98 b2a7$q(hhXyo<h@<,|7o uGm64$hEI ^Ow.Pbk(Y [c6`MCPRO:</Ӥҙ5~,7RXU3X0^"dDeM8hf+,iݫ`gOHǓWD)'lcHF;/יĒkK͡;PRXPKj BuOD^=!D]GUmS*>[}-$j3yU/}'&%U+N96% Hi*8ȱ0>}cӚ/9o][1ߺ'~+sqZK ,7<3 D8 "ץ%B87#U%EʦT~vF:a˱6oM+@bA ?gIp>`T"  A G'z]̴=!Blwc7b6e -'",_=e=:OC޿6{6QGFu|2.v\k\ Hx@]++++?+U*U^X}>sx" 5XĤa~_uӾ >c`8(5@GQJ||"ᰈEBXDZ?_;M1u#IJQmU@|)&(@EPKh~L.JZ ǽۓ]mI-yI}$ 8K)8 =,ᶀ>w{_rkK/x2 _w¬ 6Eu]a^3JQzIX4o8r قH/q;J*2 )=cF7I)*a2I _˔s`"Mjm8OpҢȬP0M T Ą钪ڨn|Wȼ_Gc G[Tyse4RVI:"܄WH,,x+16*:Ot/w'hY$TȅN>5ڒKĻ.PW.7Chd7@ABQbyӌL9+-\3~~( !ĪA@FOo{66)rqU $M*ŕIF=Ǘzh;$% 1BQVk"'`X#t mS#N͚|9^!$$u(mȑ7FEwmSkjRF֛`R5 Ϡ Z -$>7-J},v#Hx{ksaw֑ p׽2AX^oίݱ[)i%%GnMQ+X1AcW+2.JstKzM\"ūNMV3+ķr4 ̴/H`JI|7*DiJ)b y7BSk(Y3^$Iͽڦ/h P|F0G c xQ| [~1{tХTioJY0VC|_~YcgD6byfph֒_fX9+l%I"q0Mu4QqD3goo $Xz["-K,K`tsפ{ |:O 87eQ@|Ҟ_FCW-N /*`D6YNړUiİOKOX ђ,#Ћ'g:dsku6 K"8? <3hZ"|׷ 3.NdãEzmOӪ{ esv7>kE_A-״jgϡ{| =j٧!;OIclP~"o{?A* nO2 O=bD)3[ (oCu&o[yωˎD#? K&*ǝ5^;;-/0_" ~1VqW;]d'|]㎈1bݵ+RZ-3 x䏅Yb,r]3#)5|5X\Rw (g*׶'q'"j\ıjs+A#샒=%h٭Q? ,q)Dso>?Ñ:-KVAXz- ADDNE0H^XA0+/pD]bɤ1^Pl&qn/n \95͂E / tMc%5"U(5ub?=G/ttAk-c"]J1x~[N֘12h*B UٜA5]RU BIWs_OkpƝ6}Oj6j=!`5?؅_n&,m'hzBRKo^9m̥ͪND`h*w~ 1}>mHt>A;Э%9bYӹn>c:u_`ci;t]ktKs>н3Bs^?busι\`{Ű|kEZ`3+nslKZIȶ8+ilwAQg)q8 @dD+9mFݚz_!ƄugkJ!>!S/ L%& H!4w#\CP |@S7OR(iUeAb+;Y kb^s<ҁ+qܒ:e\z6 (17`(8N9L}x+{VzK"?{| ̋XL t4*$:WmA=~|DLRO/\ND _ _!߰,VIm{7R[ $y(?ZED & quj}D~hyw[= dyޝ g7{S]G h}{ Ó 39asH ]TWUYSg+:e1q {χ\oX|J7"75|$rkqC9Ҕ]&6꭫=0"}~! L-Ǿ DrǤ"c*41GJ[!}ɹcMNZpxXҚ:e k(E$Y c#ϝF$hD1fxװÞ1;TO{N5CN{ =۾`bWoP$P`+wdcF||9 0G/cD49tQ:..( oI[PXP؟?pk2%H0Z9on`6s}`EP00apLoѧ~;]_fu:ROLSK%ΨfldaQ({b8M u߃3,ȏKlݜ(8Sj1I(tCK/HzsZamday~X&H_PbJU(IhRW|:P |+R0cU-%N+ߺcoS>wV7_X[ z+i+ 9Iˑ;}^o(M#&O=lFL\r5g_I4eEz{G~{N[g+2ʿ@g,>vNtNɂdзdЧw2v2O ?CS(?(#坌r=9ϐsBf.n~ x"K  {/>_?B?}P9g ]AUV9U^AW_]e_ryʛrּ)aFy)8RErXBdנS\ȜHWɴVی xFUyD4k{HO8eIb.AV-cLS;J%=q*%.n ۍE9xL| ~iMnڧ\Dpqk;ُϋGkwՕƊ |3b 5I&OxVfw2j{4qa ^xwJ nAmzO4`.ϛg{̧dA]eGӠ[Y"B8#0dH= w30vڢ{衜+ 7\xď;cv@7maIfT.jZQo\)Uʹw俓K$2^G b3jJ]NmJTL3BAzG l]{J̾ZCO3CX)ḅ}̺l5@ P1=:veǬ<*ۼx`T;i@18Lo9Xj,.#vR'Q!+fxi;񢭴hcƥ 6%dή1vuĿO6y0p&ӄY"DӼ&nhlգ{7h9ır(9Pųl1@Щ>7gɬB΄[4п}s%(u575t0=_2u–'*F'Bސ_\$ǖ~}IZ\#u{Ī;4yxa޷./]C?w Ńq`a\m8JI(q0>f@Z/`51uw|JM̸&$] 11x$>}t 1-XZo.TùLH Waw}ס e4joX9VX#e m_0S&g}Az=o[a`a?>V@U}C 1,OItZзkdY9ٖxU h$Ο6=j"6: gCbB KPRJVr.Q ?nfoUނ#1b9?"ㅰxo!qa'R1<zH|c,XoMT*L[ |QKڼAN$KY[zQؗE@1agGێf*io @BW? /X)un'|o|F,kkl`vB`)`"sC@_\2R*4%NSxsEz?3& Mיaz:SAW(9|x@loM{lj_ԕU`7g#~"VœA6np8!(_Eْ+0u6ܨNAEVb0yM&p ?dtE#bSp!@>pM֧2QTD Q)ۉYbd휙o-r xgsg_(LOWvm:y@t ] D hC'+_2uE>v/-J^S.u 7tleb @Oq Nܓ mE73D*}}X^c 0У,*08u vKѪ V7"`aV1n,ـ9&@r=Vcm;pSz2  ѨpSTVD'S^m'gF$難me#FP1W ?$Il} ralX ^|޹+o=Љe6;3G_]g0^l,eH&}+qd.DI qk.-wvua4,Lb9"[^QI(`жX3|"@a)5gn~ӧf<˜4W6IĶqyntµ-ˑ;gy/|[z70XjPo''yQs3=y9w:v0~ar8Lt4QS|oe1afrYW`0-Z.<'̳(`,fٵ\RKnrmm#{ )60MÄrM"5roq=yeՙJ pK8 g!0X^Zɩȩ(v}_|JѬd;j +s{Og |>":0X+n:' wX;yB(O}i}!3L*`Ngo>!2D!6xViEQ{ş׼yeVQ)ZN $RzdEgO 6A|>ǐy6xL 2V*wV㛼VtƦI:1qzRSFs0v&b(16lS24K_hjJlxTʉq07Nw6̈́ В^&ŮvbecL*