In short, in Ubuntu 12.04, if you choose the option for installing 3rd party software during the install, one of the things that gets pulled in is not one, but two NES audio file players, the default being an emulator for the NES CPU that is used to play an arcane and practically unused audio format.
GG Canonical.
It's fucking nothing
So if you use a 4 year old distro for babbies and install a package they labeled -bad, you may have a security risk?
HOLD THE FUCKING PHONE
This is your brain on autism
What is the point?
I find security.gentoo.org
It has this vulnerability because it's written in the C programming language.
Go -1
C - 0
Stay mad C fags.
-1 > -0
Checkmate, garbage collected poo.
When will linux distros actually get their shit together?
Make it trivial to install stuff that isn't in the official repos and remove most stuff from them.
OPEN SORES FAGS BTFO - AGAIN
The point is that using a bloated "Linux For Retards" distro 7 regular releases and 2 LTS releases behind the latest version may have security issues. They already stopped using it by default in 14.04 and phased the library in question out by 16.04.
Does that even matter if you're not playing NSF files? Just having a library installed that never get used is pretty meaningless.
Why the fuck were those libraries for NSF included in the first place?
Not only that, you'd even have to write the payload in NES Assembly
It was part of gstreamer-bad meta package in that specific version of Ubuntu, so the package maintainer probably just threw every gstreamer plugin in there.
Debian is pretty adamant about providing packages that provide the same functionality. Is this issue Ubuntu only?
Wait, how does that -bad tag works? I remember installing something labeled like that a few day ago.
He's being a fucking retard. -bad is not a tag. It's just the name of the package. It's a joke name that references "The good, the bad and the ugly".
The other pacakges are called gstreamer0.10-plugins-good and gstreamer0.10-plugins-ugly.
Jesus fucking Christ, don't come to Holla Forums if you want to learn Linux. Stay away.
But I just learned something from you.
Nice, at least it doesn't have systemd
zless /usr/share/doc/gstreamer0.10-plugins-bad/README.gz
- gst-plugins-good: a set of plug-ins that we consider to have good quality
code, correct functionality, our preferred license (LGPL for the plug-in
code, LGPL or LGPL-compatible for the supporting library).
- We believe distributors can safely ship these plug-ins.
- People writing elements should base their code on these elements.
- gst-plugins-ugly: a set of plug-ins that have good quality and correct
functionality, but distributing them might pose problems. The license
on either the plug-ins or the supporting libraries might not be how we'd
like. The code might be widely known to present patent problems.
- Distributors should check if they want/can ship these plug-ins.
- People writing elements should base their code on these elements.
- gst-plugins-bad: a set of plug-ins that aren't up to par compared to the
rest. They might be close to being good quality, but they're missing
something - be it a good code review, some documentation, a set of tests,
a real live maintainer, or some actual wide use.
If the blanks are filled in they might be upgraded to become part of
either gst-plugins-good or gst-plugins-ugly, depending on the other factors.
- If the plug-ins break, you can't complain - instead, you can fix the
problem and send us a patch, or bribe someone into fixing them for you.
- New contributors can start here for things to work on.
NOT AN ARGUMENT
Not surprised, I worked on GStreamer for years, total shit show.
Not a meme
And you don't even need to open the files in totem or whatever.
Nautilus uses gstreamer to thumbnail media files, so navigating to a folder with malicious files is enough to trigger the exploit.
well the poor winfags in this thread need something to fap over between bouts of weeping.
Another reason to run
gsettings set org.gnome.desktop.thumbnailers disable-all true
if you choose to run Gnome
This same guy released another 0day exploit for a "good" gstreamer plugin today.
scarybeastsecurity.blogspot.fr
This decoder is generally present in the default install of modern Linux desktops, including Ubuntu 16.04 and Fedora 24. Gstreamer classifies its decoders as “good”, “bad” or “ugly”. Despite being quite buggy, and not being a format at all necessary on a modern desktop, the FLIC decoder is classified as “good”, almost guaranteeing its presence in default Linux installs.
That's Chris Evans. He was one of the people behind Google's project zero.
Why isn't he responsibly disclosing?
you don't even need to navigate to the folder in nautilus. default gnome desktops include a program called tracker that automatically indexes all files. it will trigger the gstreamer exploit.
scarybeastsecurity.blogspot.com
Linux desktop security is generally shit. If you need a X server running, do it minimally as possible. Gnome is bloated as fuck.
is ffmpeg's codecs shit too?
Kek, Google DNS is censoring his site with one of their fake 403 pages. (I don't use it myself but sometimes hit an exit node that uses it.)
If you're still using 12.04 in the CURRENT YEAR, that's a problem in itself.
Yes, it is an issue because merely navigating to the folder in the file viewer will execute the payload. It's a vector for drive-by infections through USB storage and network drives.
2 more exploits were found in the latest version of gstreamer, so any modern Gnome linux desktop is affected.
gstreamer has needed the shit kicked out of it for a while now.
I can't even figure out how to play an .NSF tbh. the amount of hidden and unexposed features is dizzying.
A security guy from work fuzzed gstreamer after this story and found the same vulnerability within a few minutes.
Why hasn't anyone been fuzzing gstreamer?
I'm sure they have...
zerodium.com
Shills are getting desperate.
yep canonical is at fault here
The point is that Ubuntu methodology is a clusterfuck.
Those who faithfully follow the way of Saint IGNUcius have nothing to fear. Only sinners, led astray by the empty promises of mp3s, need to fear. Remove your non-free packages, and be saved. Repent before it's too late!