SELinux and an interesting Warning on Blag

30 respostas [Última entrada]
CentaurX00
Desconectado
Joined: 06/17/2015

If you scroll down until you see the last two topics, you'll read this:

Firewall & SELinux

File:30k-blag-install-14-firewall.png

BLAG does not enable SELinux on install. Some legacy applications do not work with SELinux. If you wish to enabled it in the future, you can run

system-config-securitylevel

Link: http://blag.fsf.org/wiki/index.php/Installation

Warning: This file type may contain malicious code. By executing it, your system may be compromised.
http://blag.fsf.org/wiki/index.php/File:30k-blag-install-14-firewall.png

So, does it mean Blag team found something on SELinux that can threaten our privacy because it was developed by the NSA?

JadedCtrl
Desconectado
Joined: 08/11/2014

Put down the tinfoil, Lelouch. That warning is for the PNG file, not for SELinux itself.
It should be clear to anyone that visits the URL (http://blag.fsf.org/wiki/index.php/File:30k-blag-install-14-firewall.png) that the warning is directed to the PNG file.

tomlukeywood
Desconectado
Joined: 12/05/2014

png files can be execute code...?

*mind blown

davidnotcoulthard (non verificado)
davidnotcoulthard

In all fairness I don't recall sudo chmod +x hamburger-concerto.png to be impossible. And I guess one really never knows what, after that, would be triggered upon doing./hamburger-concerto.png

(after all, an extension is nothing more than an extension...)

tomlukeywood
Desconectado
Joined: 12/05/2014

well yeah but just be viewing a .png file is what i ment

lembas
Desconectado
Joined: 05/13/2010

I see two such vulnerabilities mentioned here https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/

GNUser
Desconectado
Joined: 07/17/2013

SVG pictures are actually potentially dangerous, that's why the Tor Browser disables them if you move the security slider to a higher position. BUT I don't know about png images. As for the file extension being enough to prevent a file from executing code, it should be simple to test, if I could bother to do so :P

Whcih I should be btw.

danieru
Desconectado
Joined: 01/06/2013

> SVG pictures are actually potentially dangerous

Why? I'm curios about this.

cooloutac
Desconectado
Joined: 06/27/2015

It seems there all sorts of attacks, Lemba linked an example of a png file causing a memory corruption in firefox which can leak data out of memory. There are also examples of png file causing buffer overflows in wmp and ie on windows which can let an attacker execute remote code. There is an example png exploits in google chrome to allow for drive by downloads or browser search poisoning. So I guess there are potential risks. so ya just looking at a picture on your screen can be dangerous..lol

I'm not sure what this has to do with selinux though?

GNUser
Desconectado
Joined: 07/17/2013

Nothing, I was just mentioning that yes, SVG pics can be dangerous maybe the warning is there because the same might apply to PNG pics. Not sure though (Lembas seems to have a proof there)

moxalt
Desconectado
Joined: 06/19/2015

Probably not, because PNG and SVG pictures are composed with a completely
different mechanism. PNG (and all other bitmap image formats) are essentially a
matrix of bits representing pixels at a set resolution. SVG (scalable vector
graphics) are instead a set of instructions for drawing said image- shapes are
defined as sets of lines to be drawn, colours to be filled, etc. Thus the
potential for malicious functionality to exist is vastly different.

moxalt
Desconectado
Joined: 06/19/2015

Although the classic 'chmod +x cat.png' always holds true.

cooloutac
Desconectado
Joined: 06/27/2015

what are you talking about man? lembda actually gave you a link? and just ignore everything I said? I wasn't theorizing...lol Try searching online sometimes for information, its useful. The threats are not just an executable disguised as an image file, Search "specially crafted png file" there is pages and pages of exploits. here is just a few links.

https://technet.microsoft.com/library/security/ms09-062#section2

https://threatpost.com/png-image-metadata-leading-to-iframe-injections/104047

http://www.tenable.com/pvs-plugins/4610

https://www.debian.org/security/2004/dsa-536

http://www.cvedetails.com/vulnerability-list/vendor_id-7294/Libpng.html

moxalt
Desconectado
Joined: 06/19/2015

I was replying to GNUser, not you. He said that since there are
exploits using SVG code, these might also apply to PNG. I explained why they
probably wouldn't (though I admit I didn't actually look anything up). It seems
common sense that PNG and SVG, being entirely different formats, could not be
exploited in the same way.

GNUser
Desconectado
Joined: 07/17/2013

SVG are not pictures in the way you would consider a picture. See, you can zoom inside of them infinitely without losing detail, so you know there is code involved. It is considered (though I am not sure it has been proven) that this code could be used to attack the browser. (doing more than just showing a pic I mean)
And also, the code in firefox that handles SVG pics is not that great in terms of functionality or security.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

I do not think there can be any executable code embedded in SVG. The picture is scalable because "objects" are mathematically" defined. A circle, for instance, is defined as a center and a radius. In this way, whatever the zoom, the application (for instance the Web browser) draws a perfect circle. On the contrary, raster images (such as BMPs, PNGs, JPEGs, etc.) basically are matrices of pixels and zooming just makes the pixels larger.

lembas
Desconectado
Joined: 05/13/2010

Looks like SVGs can contain scripts, e.g. JavaScript. https://en.wikipedia.org/wiki/SVG#Scripting_and_animation

danieru
Desconectado
Joined: 01/06/2013

I thought they were just mere XML. I wonder if this JS gets executed on IceCat even with JS disabled.

cooloutac
Desconectado
Joined: 06/27/2015
danieru
Desconectado
Joined: 01/06/2013

So, it isn't "PNG can be dangerous" but "the browser can hold exploits while rendering PNG files, so disable it if you don't want to leave any clue (like in TBB)".

cooloutac
Desconectado
Joined: 06/27/2015

it can potentially exploit any program that renders it. media players, email clients...etc... even cups apparenlty if you look at one of my above links.

moxalt
Desconectado
Joined: 06/19/2015

1. The warning you referenced clearly refers to the potential dangers of the
PNG being an executable in disguise.

2. BLAG gave a clear reason as to why SELinux is not enabled by default- it
does not work with certain legacy applications.

3. If SELinux was actual malware then a) BLAG would not have been the first to
discover it, b) there would be massive uproar all over the GNU/Linux community,
and c) it would be nowhere near the BLAG system.

Oh wait- it's the 'NSA is everywhere' guy.

hnasiet
Desconectado
Joined: 02/10/2015

I'm glad NSA developed SELinux. If openSSL had been developed by NSA, heartbleed would probably have been discovered sooner.

tomlukeywood
Desconectado
Joined: 12/05/2014

"heartbleed would probably have been discovered sooner."
any the nsa would release this info and not abuse it...?

SuperTramp83

I am a translator!

Desconectado
Joined: 10/31/2014

right..

tomlukeywood
Desconectado
Joined: 12/05/2014

*misspelled and as any

hnasiet
Desconectado
Joined: 02/10/2015

If openSSL would have been developed by the NSA, it would have been checked many more times for vulnerabilities. If the NSA had insterest in having a backdoor in a SELinux, we wouldn't know that it was developed by them. NSA developed SELinux because they needed it, and released it as free software because it's advantageous.

tomlukeywood
Desconectado
Joined: 12/05/2014

"released it as free software because it's advantageous."
why would it be an advantage to them if they released it?

hnasiet
Desconectado
Joined: 02/10/2015

the pratical advantages that releasing the source code offers, the ones defended by the open-source movement...

danieru
Desconectado
Joined: 01/06/2013

I hate the say it, but you're right. The last things NSA is interested in is philosophy, ethics and doing good for people. But that's a reason to be cautious with their software.

onpon4
Desconectado
Joined: 05/30/2012

Eh...

http://mako.cc/copyrighteous/when-free-software-isnt-better-talk

As for the speculation about the NSA making SELinux libre because of open source arguments (which, I stress, are rather unfounded)... well, it seems likely to basically be the case. But note also that SELinux is tied to Linux Security Modules, which (like most of Linux) is under the GNU GPL. The NSA was probably required to make SELinux libre if they were to release it at all.