0-days hitting Fedora and Ubuntu open desktops to a world of hurt

**Daveski17** · December 16th, 2016

http://arstechnica.com/security/2016...s-now-a-thing/

'If you run a mainstream distribution of Linux on a desktop computer, there's a good chance security researcher Chris Evans can hijack it when you do nothing more than open or even browse a specially crafted music file. And in the event you're running Chrome on the just-released Fedora 25, his code-execution attack works as a classic drive-by.'

~ Ars Technica

**vasa1** · December 16th, 2016

Chris Evans is a pretty active security expert over at Google:

All discoveries were ethically reported. Some of these discoveries were sponsored by my employer, Google. We're always hiring for security.

from https://security.appspot.com/security/index.html. He blogs at http://scarybeastsecurity.blogspot.com

I hope his concerns are taken on board!

**Daveski17** · December 16th, 2016

Yes, I hope his concerns are taken seriously too.

**mc4man** · December 16th, 2016

Already patched in supported Ubuntu releases.

**vasa1** · December 16th, 2016

Originally Posted by mc4man

Already patched in supported Ubuntu releases.

Would these be the ones?

Code:

08:56 PM ~ $ grep stream /var/log/dpkg.log.1 | grep "status installed"
2016-11-17 14:58:13 status installed libgstreamer-plugins-bad1.0-0:amd64 1.8.2-1ubuntu0.2
2016-11-17 14:58:13 status installed gstreamer1.0-plugins-bad-videoparsers:amd64 1.8.2-1ubuntu0.2
2016-11-17 14:58:13 status installed gstreamer1.0-plugins-bad-faad:amd64 1.8.2-1ubuntu0.2
2016-11-17 14:58:13 status installed gstreamer1.0-plugins-bad:amd64 1.8.2-1ubuntu0.2
2016-11-23 07:55:50 status installed gstreamer0.10-plugins-good:amd64 0.10.31-3+nmu4ubuntu2.16.04.1
2016-11-23 07:55:50 status installed libgstreamer-plugins-base1.0-0:amd64 1.8.2-1ubuntu0.2
2016-11-23 07:55:50 status installed gstreamer1.0-plugins-base:amd64 1.8.2-1ubuntu0.2
2016-11-23 07:55:51 status installed libgstreamer-plugins-good1.0-0:amd64 1.8.2-1ubuntu0.2
2016-11-23 07:55:51 status installed gstreamer1.0-plugins-good:amd64 1.8.2-1ubuntu0.2
2016-11-23 07:55:52 status installed gstreamer1.0-x:amd64 1.8.2-1ubuntu0.2
2016-11-29 15:03:13 status installed gstreamer0.10-plugins-good:amd64 0.10.31-3+nmu4ubuntu2.16.04.2
2016-11-29 15:03:14 status installed libgstreamer-plugins-good1.0-0:amd64 1.8.2-1ubuntu0.3
2016-11-29 15:03:14 status installed gstreamer1.0-plugins-good:amd64 1.8.2-1ubuntu0.3
08:56 PM ~ $

**mc4man** · December 17th, 2016

Originally Posted by vasa1

Would these be the ones?

Code:

08:56 PM ~ $ grep stream /var/log/dpkg.log.1 | grep "status installed"
2016-11-17 14:58:13 status installed libgstreamer-plugins-bad1.0-0:amd64 1.8.2-1ubuntu0.2
2016-11-17 14:58:13 status installed gstreamer1.0-plugins-bad-videoparsers:amd64 1.8.2-1ubuntu0.2
2016-11-17 14:58:13 status installed gstreamer1.0-plugins-bad-faad:amd64 1.8.2-1ubuntu0.2
2016-11-17 14:58:13 status installed gstreamer1.0-plugins-bad:amd64 1.8.2-1ubuntu0.2
2016-11-23 07:55:50 status installed gstreamer0.10-plugins-good:amd64 0.10.31-3+nmu4ubuntu2.16.04.1
2016-11-23 07:55:50 status installed libgstreamer-plugins-base1.0-0:amd64 1.8.2-1ubuntu0.2
2016-11-23 07:55:50 status installed gstreamer1.0-plugins-base:amd64 1.8.2-1ubuntu0.2
2016-11-23 07:55:51 status installed libgstreamer-plugins-good1.0-0:amd64 1.8.2-1ubuntu0.2
2016-11-23 07:55:51 status installed gstreamer1.0-plugins-good:amd64 1.8.2-1ubuntu0.2
2016-11-23 07:55:52 status installed gstreamer1.0-x:amd64 1.8.2-1ubuntu0.2
2016-11-29 15:03:13 status installed gstreamer0.10-plugins-good:amd64 0.10.31-3+nmu4ubuntu2.16.04.2
2016-11-29 15:03:14 status installed libgstreamer-plugins-good1.0-0:amd64 1.8.2-1ubuntu0.3
2016-11-29 15:03:14 status installed gstreamer1.0-plugins-good:amd64 1.8.2-1ubuntu0.3
08:56 PM ~ $

I'd think -

Code:

game-music-emu (0.6.0-3ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: code execution via missing register value clamps
    - debian/patches/missing_register_value_clamp.patch: clamp values to
      uint8_t in gme/Spc_Cpu.h.
    - No CVE number

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 13 Dec 2016 11:37:51 -0500

(- i.e. libgme0

**vasa1** · December 17th, 2016

I got

Code:

07:55 AM ~ $ apt-cache policy libgme0
libgme0:
  Installed: 0.6.0-3ubuntu0.16.04.1
  Candidate: 0.6.0-3ubuntu0.16.04.1
  Version table:
 *** 0.6.0-3ubuntu0.16.04.1 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/universe amd64 Packages
        500 http://archive.ubuntu.com/ubuntu xenial-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     0.6.0-3 500
        500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
07:58 AM ~ $

So people who have updated systems are fine. (I got the update on 2016-12-14.) Regarding the test, if unpatched, which particular calculator would run? For example, Lubuntu users won't have gnome-calculator by default. They, and perhaps ubuntu-mate users, may have galculator.

**Daveski17** · December 19th, 2016

Well, as long as Trusty Tahr LTS has been patched I'll be OK then.

**maglin2** · December 23rd, 2016

I get:

Code:

~$ apt-cache policy libgme0
libgme0:
  Installed: (none)
  Candidate: 0.6.0-3ubuntu0.16.04.1

this is on 16.04 without the ubuntu restricted extras or add-ons packages, so I'm not sure if the exploit would actually have worked on a truly default 16.04 install.