SELinux and an interesting Warning on Blag
If you scroll down until you see the last two topics, you'll read this:
Firewall & SELinux
File:30k-blag-install-14-firewall.png
BLAG does not enable SELinux on install. Some legacy applications do not work with SELinux. If you wish to enabled it in the future, you can run
system-config-securitylevel
Link: http://blag.fsf.org/wiki/index.php/Installation
Warning: This file type may contain malicious code. By executing it, your system may be compromised.
http://blag.fsf.org/wiki/index.php/File:30k-blag-install-14-firewall.png
So, does it mean Blag team found something on SELinux that can threaten our privacy because it was developed by the NSA?
Put down the tinfoil, Lelouch. That warning is for the PNG file, not for SELinux itself.
It should be clear to anyone that visits the URL (http://blag.fsf.org/wiki/index.php/File:30k-blag-install-14-firewall.png) that the warning is directed to the PNG file.
png files can be execute code...?
*mind blown
In all fairness I don't recall sudo chmod +x hamburger-concerto.png
to be impossible. And I guess one really never knows what, after that, would be triggered upon doing./hamburger-concerto.png
(after all, an extension is nothing more than an extension...)
well yeah but just be viewing a .png file is what i ment
I see two such vulnerabilities mentioned here https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/
SVG pictures are actually potentially dangerous, that's why the Tor Browser disables them if you move the security slider to a higher position. BUT I don't know about png images. As for the file extension being enough to prevent a file from executing code, it should be simple to test, if I could bother to do so :P
Whcih I should be btw.
> SVG pictures are actually potentially dangerous
Why? I'm curios about this.
It seems there all sorts of attacks, Lemba linked an example of a png file causing a memory corruption in firefox which can leak data out of memory. There are also examples of png file causing buffer overflows in wmp and ie on windows which can let an attacker execute remote code. There is an example png exploits in google chrome to allow for drive by downloads or browser search poisoning. So I guess there are potential risks. so ya just looking at a picture on your screen can be dangerous..lol
I'm not sure what this has to do with selinux though?
Nothing, I was just mentioning that yes, SVG pics can be dangerous maybe the warning is there because the same might apply to PNG pics. Not sure though (Lembas seems to have a proof there)
Probably not, because PNG and SVG pictures are composed with a completely
different mechanism. PNG (and all other bitmap image formats) are essentially a
matrix of bits representing pixels at a set resolution. SVG (scalable vector
graphics) are instead a set of instructions for drawing said image- shapes are
defined as sets of lines to be drawn, colours to be filled, etc. Thus the
potential for malicious functionality to exist is vastly different.
Although the classic 'chmod +x cat.png' always holds true.
what are you talking about man? lembda actually gave you a link? and just ignore everything I said? I wasn't theorizing...lol Try searching online sometimes for information, its useful. The threats are not just an executable disguised as an image file, Search "specially crafted png file" there is pages and pages of exploits. here is just a few links.
https://technet.microsoft.com/library/security/ms09-062#section2
https://threatpost.com/png-image-metadata-leading-to-iframe-injections/104047
http://www.tenable.com/pvs-plugins/4610
https://www.debian.org/security/2004/dsa-536
http://www.cvedetails.com/vulnerability-list/vendor_id-7294/Libpng.html
I was replying to GNUser, not you. He said that since there are
exploits using SVG code, these might also apply to PNG. I explained why they
probably wouldn't (though I admit I didn't actually look anything up). It seems
common sense that PNG and SVG, being entirely different formats, could not be
exploited in the same way.
SVG are not pictures in the way you would consider a picture. See, you can zoom inside of them infinitely without losing detail, so you know there is code involved. It is considered (though I am not sure it has been proven) that this code could be used to attack the browser. (doing more than just showing a pic I mean)
And also, the code in firefox that handles SVG pics is not that great in terms of functionality or security.
I do not think there can be any executable code embedded in SVG. The picture is scalable because "objects" are mathematically" defined. A circle, for instance, is defined as a center and a radius. In this way, whatever the zoom, the application (for instance the Web browser) draws a perfect circle. On the contrary, raster images (such as BMPs, PNGs, JPEGs, etc.) basically are matrices of pixels and zooming just makes the pixels larger.
Looks like SVGs can contain scripts, e.g. JavaScript. https://en.wikipedia.org/wiki/SVG#Scripting_and_animation
I thought they were just mere XML. I wonder if this JS gets executed on IceCat even with JS disabled.
So, it isn't "PNG can be dangerous" but "the browser can hold exploits while rendering PNG files, so disable it if you don't want to leave any clue (like in TBB)".
it can potentially exploit any program that renders it. media players, email clients...etc... even cups apparenlty if you look at one of my above links.
1. The warning you referenced clearly refers to the potential dangers of the
PNG being an executable in disguise.
2. BLAG gave a clear reason as to why SELinux is not enabled by default- it
does not work with certain legacy applications.
3. If SELinux was actual malware then a) BLAG would not have been the first to
discover it, b) there would be massive uproar all over the GNU/Linux community,
and c) it would be nowhere near the BLAG system.
Oh wait- it's the 'NSA is everywhere' guy.
I'm glad NSA developed SELinux. If openSSL had been developed by NSA, heartbleed would probably have been discovered sooner.
"heartbleed would probably have been discovered sooner."
any the nsa would release this info and not abuse it...?
right..
*misspelled and as any
If openSSL would have been developed by the NSA, it would have been checked many more times for vulnerabilities. If the NSA had insterest in having a backdoor in a SELinux, we wouldn't know that it was developed by them. NSA developed SELinux because they needed it, and released it as free software because it's advantageous.
"released it as free software because it's advantageous."
why would it be an advantage to them if they released it?
the pratical advantages that releasing the source code offers, the ones defended by the open-source movement...
I hate the say it, but you're right. The last things NSA is interested in is philosophy, ethics and doing good for people. But that's a reason to be cautious with their software.
Eh...
http://mako.cc/copyrighteous/when-free-software-isnt-better-talk
As for the speculation about the NSA making SELinux libre because of open source arguments (which, I stress, are rather unfounded)... well, it seems likely to basically be the case. But note also that SELinux is tied to Linux Security Modules, which (like most of Linux) is under the GNU GPL. The NSA was probably required to make SELinux libre if they were to release it at all.