[sf-lug] bad news for streaming media users

Rick Moen rick at linuxmafia.com
Sat Dec 17 15:13:23 PST 2016 

Quoting Akkana Peck (akkana at shallowsky.com):

> Thank you, Rick! I get so frustrated by these "all Linux desktops
> are vulnerable" articles that give no clue which components are
> actually involved in the exploit.

More than that:  The stories also typically fail to cover which
configurations are vulnerable, how (if at all) to mitigate the
problem if present, _or_ how to test a system to see if the problem
really exists locally.  Instead, most just throw out a generic
'update/patch your system'.

I had a close-up view of this problem while doing PCI (Personal Card
Industries) auditing and mitigation at an online merchant bank my $FIRM
operated -- i.e., a subsidiary that handled online credit card
payments.

Every time an audit found potential problems, the first thing you had to
do was _attentively_ read the CVE.  Then, you study your local systems
to find out whether the distro's packaged software is _generically_
vulnerable, and then (if so) whether your local configuration evinces
that vulnerability.  If yes to the latter, you then see if there's 
an easy / reasonable way to scotch the problem with a revised
configuration.  _Frequently_, the answer to the latter is 'yes':  
Distros' overfeatured defaults can often be locked down to great
benefit.

There's a lot more to interpreting security articles, such as taxonomy:
local exploit, privilege escalation, DoS, XSS, etc.  Some are a _lot_ 
more meaningful than others.  I'm not going to go into details here: 
It might make a good article, though.

> I have one remaining question: you mention the exploit depends on
> Gnome Tracker, but the article says that Ubuntu desktops are
> vulnerable. Does Unity also use Gnome Tracker, or is its search
> software vulnerable in the same was as Tracker?

I'd have to start at the same from-scratch-no-knowledge point as you do, 
in researching that question.

Web-searching

  ubuntu unity tracker

...finds a Ubuntu Forums post from 2012 complaining that Ubuntu Unity
lacks "a default index search feature to search all files, which to me
is a big step back for a modern OS, and so I am installing Tracker
manually. However, there appears to be no replacement for the Tracker
search bar which exists for the Gnome panel."

https://ubuntuforums.org/showthread.php?t=1955299
That was from user 'sambhogi'.  sambhogi, be careful what you wish
for.[1]

Also around that time, Alessandro Bruni proposed Tracker for inclusion
in Ubuntu Unity, along with a 'lens' (UI glue code):
http://alessandrobruni.name/software/2011/11/21/unity-tracker-lens.html
Did they ever go ahead with this idea?  I don't know.  Ask Canonical, or
try doing 'dpkg -l | grep tracker' on a system with Unity, I guess.

> Oops, make that two questions. Is gstreamer-plugins-ugly as unsafe as
> gstreamer-plugins-bad? I do use that, for mp3. Though generally not
> with files downloaded from random untrusted websites.

Again, I'd have to research that from scratch.  However, a few seconds
of searching suggests that the 'ugly' criterion concerns licensing that
has problems rather than quality problems.
https://gstreamer.freedesktop.org/modules/gst-plugins-ugly.html



[1] Using the word 'Tracker' as a name for a piece of software makes it 
difficult to Web-search on.  Ditto for 'Unity'.  I've often thought it 
would be interesting operating a consultancy advising businesses on 
how to name products/services so that they're difficult to find
out about on the Internet.  In a way, this is not entirely a new idea:
It was one of several tricks Intel Corporation used to dispose of its 
existential PR threat from the Pentium F00F bug that came to light in
1997.  The F00F bug made all Pentium and Pentium MMX machines remotely
crashable across the Internet.  The wags called it the Pentium
Halt-and-Catch Fire bug.

Intel pulled off two Jedi mind tricks, to dispose of the problem:
1.  It published a collection of "Vendor Statements" on its Web pages
from OS authors, with the first two, BSDI and Linux saying "We patched
our OSes to prevent this bug from being exploitable", and all the rest 
saying We're working closely with Intel...." (Meaning, "We're caught
with no remedy and no plan to acquire one" -- except Novell,
which clarified that NetWare is unaffected.)  2.  It consistently
referred to the chip bug as "Pentium Processor Invalid Instruction
Erratum" -- making the bug sound boring and also making it difficult to
search for.

These two evasions saved Intel a huge pile of money, as they eased
pressure on Intel to recall and replace tens of thousands of
already-in-use CPUs.  It probably saved the company.

History of that on the Bay Area LUG mailing lists:  "F00F Bug" on
http://linuxmafia.com/kb/Hardware/

More information about the sf-lug mailing list