POV-Ray : Newsgroups : povray.off-topic : update, updates, updates Server Time
17 Jan 2025 15:50:13 EST (-0500)
  update, updates, updates (Message 1 to 10 of 23)  
Goto Latest 10 Messages Next 10 Messages >>>
From: Kenneth
Subject: update, updates, updates
Date: 16 Jan 2013 07:00:00
Message: <web.50f696078399255c2d977c20@news.povray.org>
Wow, it seems that security updates for various pieces of 'standard'
Windows-related software are coming down fast and furious these days: Firefox,
Java, Flash Player, Windows itself (well, my old XP version.) I'm getting one or
the other of these on almost a daily basis. Cyber-criminals and spammers must be
working overtime!


Post a reply to this message

From: Francois Labreque
Subject: Re: update, updates, updates
Date: 16 Jan 2013 09:06:11
Message: <50f6b3d3$1@news.povray.org>

> Wow, it seems that security updates for various pieces of 'standard'
> Windows-related software are coming down fast and furious these days: Firefox,
> Java, Flash Player, Windows itself (well, my old XP version.) I'm getting one or
> the other of these on almost a daily basis. Cyber-criminals and spammers must be
> working overtime!
>
This happens when someone develops a new(ish) idea on how to break into 
a system.  After that, every one starts to see if they can use the same 
apporach to break into another program.

Ex:  One guy finds out that you can create specially crafted .BMP files 
with a color palette that has 4294967297 (MAX_INT + 1) colors, causing 
the application to overflow, and execute arbitrary code.  12 other guys 
will go "hmm... interesting... Let's try with .JPG, .GIF, .PNG, etc...). 
  People will also try to find applications where this can be exploited, 
and once they find that a certain version of, say libpng is vulnerable, 
every piece of software that uses that libpng will have to be updated.

(Except POV-Ray, of course, because we were told that nothing bad could 
happen... And no one POV-Ray user would be evil enough to post a scene 
with a bad .PNG texture in it).

-- 
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/*    flabreque    */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/*        @        */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/*   gmail.com     */}camera{orthographic location<6,1.25,-6>look_at a }


Post a reply to this message

From: Warp
Subject: Re: update, updates, updates
Date: 16 Jan 2013 13:30:21
Message: <50f6f1bd@news.povray.org>
Francois Labreque <fla### [at] videotronca> wrote:
> Ex:  One guy finds out that you can create specially crafted .BMP files 
> with a color palette that has 4294967297 (MAX_INT + 1) colors

Given that the vast majority of image files have an exact amount of
bytes reserved for the different sizes, I would like to see how you
can put a value larger than what those bytes can express there.

(Ostensibly some compressed image file type might be able to exploit
a buggy image library if there's something in the compression algorithm
that said library doesn't take into account and could cause eg. a buffer
overflow in said library when it tries to decompress the data.)

-- 
                                                          - Warp


Post a reply to this message

From: Orchid Win7 v1
Subject: Re: update, updates, updates
Date: 16 Jan 2013 16:22:50
Message: <50f71a2a@news.povray.org>
On 16/01/2013 06:30 PM, Warp wrote:
> Francois Labreque<fla### [at] videotronca>  wrote:
>> Ex:  One guy finds out that you can create specially crafted .BMP files
>> with a color palette that has 4294967297 (MAX_INT + 1) colors
>
> Given that the vast majority of image files have an exact amount of
> bytes reserved for the different sizes, I would like to see how you
> can put a value larger than what those bytes can express there.

There appears to be plenty of software that incorrectly treats various 
size values as signed integers. (E.g., programs that malfunction on 
files larger than 2GB because they think the file size has become 
"negative".)

Personally, I blame C...


Post a reply to this message

From: Orchid Win7 v1
Subject: Re: update, updates, updates
Date: 16 Jan 2013 16:23:54
Message: <50f71a6a$1@news.povray.org>
On 16/01/2013 11:59 AM, Kenneth wrote:
> Wow, it seems that security updates for various pieces of 'standard'
> Windows-related software are coming down fast and furious these days: Firefox,
> Java, Flash Player, Windows itself (well, my old XP version.) I'm getting one or
> the other of these on almost a daily basis. Cyber-criminals and spammers must be
> working overtime!

Just because a security flaw has been discovered, does not necessarily 
imply that anybody has actually *exploited* it yet.

It could well just be the QA people doing code reviews and finding bugs 
that way.


Post a reply to this message

From: Jim Henderson
Subject: Re: update, updates, updates
Date: 16 Jan 2013 16:38:46
Message: <50f71de6@news.povray.org>
On Wed, 16 Jan 2013 21:23:27 +0000, Orchid Win7 v1 wrote:

> Personally, I blame C...

Seems more appropriate to blame programmer inexperience (or laziness) 
than the language used.

Jim


Post a reply to this message

From: Warp
Subject: Re: update, updates, updates
Date: 16 Jan 2013 19:27:48
Message: <50f74584@news.povray.org>
Orchid Win7 v1 <voi### [at] devnull> wrote:
> There appears to be plenty of software that incorrectly treats various 
> size values as signed integers. (E.g., programs that malfunction on 
> files larger than 2GB because they think the file size has become 
> "negative".)

Can you give me a scenario where that produces a buffer overflow?

-- 
                                                          - Warp


Post a reply to this message

From: Kenneth
Subject: Re: update, updates, updates
Date: 17 Jan 2013 01:50:08
Message: <web.50f79e4d9a8e0d4bc2d977c20@news.povray.org>
Orchid Win7 v1 <voi### [at] devnull> wrote:

>
> It could well just be the QA people doing code reviews and finding bugs
> that way.

Yeah, I'm thinking it's probably half and half: real security breaches; and
entities like Kaspersky Labs finding possible exploitable loopholes before the
fact.

BTW, I just got *another* Windows security update.


Post a reply to this message

From: Francois Labreque
Subject: Re: update, updates, updates
Date: 18 Jan 2013 09:23:51
Message: <50f95af7$1@news.povray.org>

> Francois Labreque <fla### [at] videotronca> wrote:
>> Ex:  One guy finds out that you can create specially crafted .BMP files
>> with a color palette that has 4294967297 (MAX_INT + 1) colors
>
> Given that the vast majority of image files have an exact amount of
> bytes reserved for the different sizes, I would like to see how you
> can put a value larger than what those bytes can express there.
>

Sorry, it was MAX_SIGNED_INT +1.

Of course, the file formats are usually strict enough, but they can't 
prevent all problems.

http://technet.microsoft.com/en-us/security/bulletin/ms04-028
http://technet.microsoft.com/en-us/security/bulletin/ms08-052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0597

In the case of the BMP flaw, the leaked Windows 2000 source code showed 
that the DLL was using a signed int to read an offset value that was 
unsigned in the file format, so by crafting a special BMP file you would 
have the DLL jump to a negative offset, and outside of the actual data 
structure it was supposed to read.  Now since GDI.DLL runs in ring 0 for 
performance reasons, the fault was not caught and the program would 
continue reading garbage, which in turn would cause a buffer overflow 
and arbitrary code execution.  Photoshop CS2 and CS3 were vulnerable to 
this one, on top of all the MS applications that use GDI.DLL, so it 
wasn't only shoddy programming on Microsoft's part.

I don't have the specifics on the JPG or PNG ones, but from the MITRE 
descritpion, the JPG also used an improper cast in the DLL to achieve 
its result.  For the PNG vulnerability, it was a problem with libpng not 
handling a variable field length properly.

I'm sure you know that there are many, many ways a programmer can screw up.

-- 
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/*    flabreque    */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/*        @        */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/*   gmail.com     */}camera{orthographic location<6,1.25,-6>look_at a }


Post a reply to this message

From: Francois Labreque
Subject: Re: update, updates, updates
Date: 18 Jan 2013 09:36:30
Message: <50f95dee$1@news.povray.org>

> Orchid Win7 v1 <voi### [at] devnull> wrote:
>> There appears to be plenty of software that incorrectly treats various
>> size values as signed integers. (E.g., programs that malfunction on
>> files larger than 2GB because they think the file size has become
>> "negative".)
>
> Can you give me a scenario where that produces a buffer overflow?
>

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0894
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5870
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2518
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0596
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0598
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0599
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0602
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0915
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1197
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3966

More at:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=BMP
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=JPG
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=PNG
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=MP3
Etc...
-- 
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/*    flabreque    */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/*        @        */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/*   gmail.com     */}camera{orthographic location<6,1.25,-6>look_at a }


Post a reply to this message

Goto Latest 10 Messages Next 10 Messages >>>

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.