[sf-lug] bad news for streaming media users
Rick Moen
rick at linuxmafia.com
Sat Dec 17 01:01:46 PST 2016
Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):
> Hi LUGers,
> If your desktop runs a mainstream release of Linux, chances are
> you're vulnerable.
Actually, oonly distibutions furnishing GNOME desktop _and_ GStreamer
_and_ the buggy, unmaintained gstreamer-plugins-bad plugins, _and_ the
user is using the Chromium Web browser or its Google Chrome proprietary
variant.[0]
> <http://arstechnica.com/security/2016/12/fedora-and-ubuntu-0days-show-that-hacking-desktop-linux-is-now-a-thing/>
The proof of concept relied on a Chromium / Google Chrome browser
misfeature permitting forcing of downloads without notifying the user
(i.e, a Web page instructs the browser to download a file -- bad!).
GNOME's Epiphany browser also has this misfeature.
That's _one_ flaw that gets used. The _other_ is a badly designed bit of
GNOME plumbing called Tracker: 'Tracker is a search engine, search tool
and metadata storage system. It allows you to find the proverbial
needle in your computer's haystack as well as providing a one stop
solution to the organisation, storage and categorisation of your data.'
(https://wiki.gnome.org/Projects/Tracker) Tracker can be easily fooled
to search an index a downloaded alleged .flac audio file that actually
contains deliberately malformed Super Nintendo Emulation System music files
and pass them off to very, very buggy SNES emulation code (Game Music
Emu) that is included in gstreamer1-plugins-bad.
By the way, Arstechnica author Dan Goodin errs slightly in asserting
that Fedora is vulernable by default, because Fedora splits
gstreamer1-plugins-bad into gstreamer1-plugins-bad-free and
gstreamer1-plugins-bad-free-extras -- installing only the former by
default. Since the Game Music Emu plugin for GStreamer is in
gstreamer1-plugins-bad-free-extras, it will be installed only if the
user goes out of his/her way to add it. (Dan Goodin is an excellent and
reliable author, though.)
GStreamer's plugins include lots of other questionable code, and it's
incredibly bad to simply had untrustworthy public Internet files to it,
but that's what GNOME w/Tracker (and Chromium / Google Chrome) does.
The larger context of this: Public files off the Internet just
_cannot be trusted_, and IMO the less automated handling and processing
of such files by easily-fooled desktop software the better, _and_
allowing handling of such files by buggy software never designed to be
directly exposed to the Internet (like Game Music Emu), the way Tracker
does, is madness.
The easy way to avoid such problems: Don't use GNOME (or, for that
matter, other noted CADT software[1]. Also, if you use Chromium (quite
a good browser generally) or Google Chrome, disable automatic
downloading, i.e., Options -> Under the Hood -> Download, check checkbox
for 'ask where to save file before downloading'.
[0] Some of the badness described is possible without the
Chromium/Chrome autodownloading functions, by the user manually choosing
to download the file and then Tracker processing it, but I didn't want
to get into that.
[1] https://www.jwz.org/doc/cadt.html
More information about the sf-lug
mailing list