Case in point is the Java GIF bug:
http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1
Rolling a new Java release is an expensive process, least of all due
to the particularly complex testing procedure required of Sun
licensees; it's difficult to say how soon an update will be available.
What do you think? Does the group have a life beyond the Month of
Apple Bugs?
-landonf
It's true that there are a number of people on this list interested
in, and experienced at, dealing with security issues.
I would suggest establishing some better ground rules about what's on
topic etc. You don't even need to change the name though ;) moab
could also stand for "Mother of all Bugs" -- because a security flaw
really is the worst and most damaging kind of bug for your product.
I do think that the community being able to provide "0-day patches" is
useful. As someone who hasn't been particularly involved on the
technical side (although that is mostly because I've been swamped with
other things), I can't say one way or the other if it would be worth
the effort. It is fun to observe the group, and I think people are
interested in it.
If I can find time, I wouldn't mind coding up an extensible prefpane
for this sort of thing -- to "install" a new moab-patch, you double
click a bundle and the prefpane then copies it somewhere and allows
you to manage it -- on, off, detect wether or not the sunset
provisions have taken effect, things like that. That would probably
realistically be happening at the end of the MoAB (but if the group
continues, it will probably happen eventually).
-Colin
This test case is only a denial-of-service; I hacked up ImageMagick
to generate a GIF with a 0-width image block, and thus there's no
payload.
The issue is with Java's Java_sun_awt_image_GifImageDecoder_parseImage
(); it allocates a block buffer based on the provided width; when the
width starts at zero, a too small buffer is allocated. Pseudo
implementation:
width = 0;
if (--width == 0) {
// Moving to the next scanline occurs here
return;
}
// Width is now negative, too small buffer will be allocated
The function receives the width as a parameter:
JNIEXPORT jboolean JNICALL
Java_sun_awt_image_GifImageDecoder_parseImage(JNIEnv *env,
jobject this,
jint relx, jint rely,
jint width, jint height,
jint interlace,
jint initCodeSize,
jbyteArray blockh,
jbyteArray raslineh,
jobject cmh)
Seems like the easiest fix it to check for width == 0, and if so, and
throw an immediate JNU_ThrowArrayIndexOutOfBoundsException(), which
is handled by the caller.
-landonf
Still needs version number checking -- I'm in the middle of factoring
that out to get rid of a bunch of duplicate code shared between the
patches.
-landonf
On Jan 19, 2007, at 10:37 PM, Landon Fuller wrote:
> Here's a test case for the Java GIF issue (this will crash your
> browser):
> http://landonf.bikemonkey.org/static/moab-tests/extra/javagif.html
>
> This test case is only a denial-of-service; I hacked up ImageMagick
> to generate a GIF with a 0-width image block, and thus there's no
> payload.
>
> The issue is with Java's
> Java_sun_awt_image_GifImageDecoder_parseImage(); it allocates a
> PGP.sig
> 1KDownload
>
> So they have released fixes for the other operating systems, but not
> for OS X? Is it that hard to implement a fix for OS X?
Sun only officially supports Solaris, Linux and Windows. Other
platforms are licensed, ported, and supported by their vendors; eg,
Apple, FreeBSD, etc.
It's up to the individual vendor to patch and release a new version
of their JRE/JDK.
-landonf
On Jan 20, 2:45 pm, Landon Fuller <land...@bikemonkey.org> wrote:
> On Jan 20, 2007, at 11:36 AM, frozenINcarbonite wrote:
>
>
>
> > So they have released fixes for the other operating systems, but not
> > for OS X? Is it that hard to implement a fix for OS X?Sun only officially supports Solaris, Linux and Windows. Other
> platforms are licensed, ported, and supported by their vendors; eg,
> Apple, FreeBSD, etc.
> It's up to the individual vendor to patch and release a new version
> of their JRE/JDK.
>
> -landonf
>
> PGP.sig
> 1KDownload
Sounds good to me. I like the idea of having a group that
keeps an eye out for Mac OS X (security) bugs and provides a fix or
other useful information for the public.
-eric