|
Message-ID: <54691022.1070406@internot.info> Date: Mon, 17 Nov 2014 07:59:14 +1100 From: Joshua Rogers <oss@...ernot.info> To: oss-security@...ts.openwall.com Subject: Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less On 17/11/14 07:43, Michal Zalewski wrote: >> However, even if tools like file/ndisasm/gimp/readelf can be used by >> > many (w/o strong system isolation boundaries) to analyze untrusted >> > inputs (for reverse engineering, malware analysis and similar >> > purposes) - I'd simply put a blame on those users > Well, it's always the easy option, but keep in mind that there are > countless tutorials that tell people to use 'file' or 'strings' to > examine sketchy file, or use tools such as objdump to do hobby > forensics. I agree with Michal on this. It's like saying Ritchie's fault for the fact that C does not have inbuilt bound checking, allowing for buffer overflows... I won't really expand on this, but my opinion is that _any_ program that is 'trusted', such as `file' and `strings', that contains a flaw in it that could pwn the running user, is a security risk. I'll also add, from the `file' manpage: > There has been a file command in every UNIX since at least Research > Version 4 (man page dated November, 1973). The System V version intro‐ > duced one significant major change: the external list of magic > types. This slowed the program down slightly but made it a lot more > flexible. `file' is also used by internals of most programs that handle any input too. Or some variant of it(probably libmagic). And one last point.. `vlc' is used with untrusted input(i.e .mp4s, avis, mp3s, etc.). If somebody gets pwned because they try to watch a video they download, is it their fault?.. Thanks, -- -- Joshua Rogers <https://internot.info/>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.