Expanded Scope? (Java GIF Bug)

13 views
Skip to first unread message

Landon Fuller

unread,
Jan 19, 2007, 1:34:46 PM1/19/07
to moab...@googlegroups.com
What happens to "MoAB Fixes" when the Month of Apple Bugs is over? Is
there value in providing "0-day patches" for other critical issues?

Case in point is the Java GIF bug:
http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1

Rolling a new Java release is an expensive process, least of all due
to the particularly complex testing procedure required of Sun
licensees; it's difficult to say how soon an update will be available.
What do you think? Does the group have a life beyond the Month of
Apple Bugs?

-landonf

PGP.sig

Colin Barrett

unread,
Jan 19, 2007, 2:42:35 PM1/19/07
to moab...@googlegroups.com

It's true that there are a number of people on this list interested
in, and experienced at, dealing with security issues.

I would suggest establishing some better ground rules about what's on
topic etc. You don't even need to change the name though ;) moab
could also stand for "Mother of all Bugs" -- because a security flaw
really is the worst and most damaging kind of bug for your product.

I do think that the community being able to provide "0-day patches" is
useful. As someone who hasn't been particularly involved on the
technical side (although that is mostly because I've been swamped with
other things), I can't say one way or the other if it would be worth
the effort. It is fun to observe the group, and I think people are
interested in it.

If I can find time, I wouldn't mind coding up an extensible prefpane
for this sort of thing -- to "install" a new moab-patch, you double
click a bundle and the prefpane then copies it somewhere and allows
you to manage it -- on, off, detect wether or not the sunset
provisions have taken effect, things like that. That would probably
realistically be happening at the end of the MoAB (but if the group
continues, it will probably happen eventually).

-Colin

William A. Carrel

unread,
Jan 19, 2007, 3:22:07 PM1/19/07
to moab...@googlegroups.com
There certainly seems to be utility in projects such as ZERT, which
seems to be Windows-focussed. Most open source projects already have a
thriving community which can deal with these things. It wouldn't hurt
the Mac community to have this too, that is as long as the user
community can deal with the situation in a way that doesn't include
shooting the messenger or decrying "unofficial" fixes.

Landon Fuller

unread,
Jan 20, 2007, 1:37:12 AM1/20/07
to moab...@googlegroups.com
Here's a test case for the Java GIF issue (this will crash your
browser):
http://landonf.bikemonkey.org/static/moab-tests/extra/javagif.html

This test case is only a denial-of-service; I hacked up ImageMagick
to generate a GIF with a 0-width image block, and thus there's no
payload.

The issue is with Java's Java_sun_awt_image_GifImageDecoder_parseImage
(); it allocates a block buffer based on the provided width; when the
width starts at zero, a too small buffer is allocated. Pseudo
implementation:

width = 0;

if (--width == 0) {
// Moving to the next scanline occurs here
return;
}

// Width is now negative, too small buffer will be allocated


The function receives the width as a parameter:
JNIEXPORT jboolean JNICALL
Java_sun_awt_image_GifImageDecoder_parseImage(JNIEnv *env,
jobject this,
jint relx, jint rely,
jint width, jint height,
jint interlace,
jint initCodeSize,
jbyteArray blockh,
jbyteArray raslineh,
jobject cmh)

Seems like the easiest fix it to check for width == 0, and if so, and
throw an immediate JNU_ThrowArrayIndexOutOfBoundsException(), which
is handled by the caller.

-landonf

PGP.sig

Landon Fuller

unread,
Jan 20, 2007, 1:39:10 AM1/20/07
to moab...@googlegroups.com

On Jan 19, 2007, at 10:37 PM, Landon Fuller wrote:

> // Width is now negative, too small buffer will be allocated

Er, sorry. Was already allocated, and will now be used. Whoops.

-landonf

PGP.sig

Landon Fuller

unread,
Jan 20, 2007, 3:22:59 AM1/20/07
to moab...@googlegroups.com
Fix for the issue committed:
http://moab-fixes.googlecode.com/svn/trunk/javagif_handler.c

Still needs version number checking -- I'm in the middle of factoring
that out to get rid of a bunch of duplicate code shared between the
patches.

-landonf

On Jan 19, 2007, at 10:37 PM, Landon Fuller wrote:

> Here's a test case for the Java GIF issue (this will crash your
> browser):
> http://landonf.bikemonkey.org/static/moab-tests/extra/javagif.html
>
> This test case is only a denial-of-service; I hacked up ImageMagick
> to generate a GIF with a 0-width image block, and thus there's no
> payload.
>
> The issue is with Java's

> Java_sun_awt_image_GifImageDecoder_parseImage(); it allocates a

PGP.sig

frozenINcarbonite

unread,
Jan 20, 2007, 2:36:58 PM1/20/07
to MOAB Fixes
So they have released fixes for the other operating systems, but not
for OS X? Is it that hard to implement a fix for OS X?

> PGP.sig
> 1KDownload

Landon Fuller

unread,
Jan 20, 2007, 2:45:21 PM1/20/07
to moab...@googlegroups.com

On Jan 20, 2007, at 11:36 AM, frozenINcarbonite wrote:

>
> So they have released fixes for the other operating systems, but not
> for OS X? Is it that hard to implement a fix for OS X?

Sun only officially supports Solaris, Linux and Windows. Other
platforms are licensed, ported, and supported by their vendors; eg,
Apple, FreeBSD, etc.
It's up to the individual vendor to patch and release a new version
of their JRE/JDK.

-landonf


PGP.sig

frozenINcarbonite

unread,
Jan 20, 2007, 3:57:37 PM1/20/07
to MOAB Fixes
oh ok, so that's why those Java updates come through Software Update?

On Jan 20, 2:45 pm, Landon Fuller <land...@bikemonkey.org> wrote:
> On Jan 20, 2007, at 11:36 AM, frozenINcarbonite wrote:
>
>
>
> > So they have released fixes for the other operating systems, but not

> > for OS X? Is it that hard to implement a fix for OS X?Sun only officially supports Solaris, Linux and Windows. Other


> platforms are licensed, ported, and supported by their vendors; eg,
> Apple, FreeBSD, etc.
> It's up to the individual vendor to patch and release a new version
> of their JRE/JDK.
>
> -landonf
>

> PGP.sig
> 1KDownload

Landon Fuller

unread,
Jan 20, 2007, 4:03:44 PM1/20/07
to moab...@googlegroups.com

On Jan 20, 2007, at 12:57 PM, frozenINcarbonite wrote:

>
> oh ok, so that's why those Java updates come through Software Update?

Exactly =)

PGP.sig

Eric Hall

unread,
Jan 25, 2007, 12:09:52 AM1/25/07
to moab...@googlegroups.com
On Fri, Jan 19, 2007 at 12:22:07PM -0800, William A. Carrel wrote:
>
> There certainly seems to be utility in projects such as ZERT, which
> seems to be Windows-focussed. Most open source projects already have a
> thriving community which can deal with these things. It wouldn't hurt
> the Mac community to have this too, that is as long as the user
> community can deal with the situation in a way that doesn't include
> shooting the messenger or decrying "unofficial" fixes.

Sounds good to me. I like the idea of having a group that
keeps an eye out for Mac OS X (security) bugs and provides a fix or
other useful information for the public.

-eric

Reply all
Reply to author
Forward
0 new messages