back to article Dear hackers, Ubuntu's app crash reporter will happily execute your evil code on a victim's box

Users and administrators of Ubuntu Linux desktops are being advised to patch their systems following the disclosure of serious security flaws. Researcher Donncha O'Cearbhaill, who discovered and privately reported the vulnerabilities to the Ubuntu team, said that a successful exploit of the bugs could allow an attacker to …

  1. MNGrrrl
    Holmes

    Confuzzled Researcher

    > "Projects such as Tor, Tails, Debian and Ubuntu all need more eyes for audits which can improve the safety of the internet for everyone."

    I have some bad news: Debian and Ubuntu isn't a single software package run by a handful of coders. It is a collection of tools and applications designed by others; They simply package it all up in a unified fashion for the end-user. You can't ask them to audit that much code pouring in; You'd need to basically xerox copy every programmer on the planet, then move them to an island filled with nothing but houses, debugging tools, and mountain dew, to make that fly.

    The fact is, we can't afford to formally audit most of the stuff we use every day -- and even if we could, the auditing would take up more 'head space' than currently exists on the planet. We'd have 95% of the world's population breathing down the neck of the remaining 5% to make that fly. As in real life, auditing is never comprehensive, but rather more like how we inspect bridges: We look at the critical support members and spot check non-critical areas looking for systemic flaws.

    So while yes, we do need more eyes looking for bugs, really, this is less about auditing than it is process control: Everything these days is black boxed. Or part of a proprietary API. Or... or... you get the idea. Most of what we program has already been done before... there's very little "new" going on in computers... contrary to what the latest iCommercial would have you believe. If we didn't have to reinvent the wheel with every new coding project, a lot less auditing would be needed. Open source is a step towards that, but it's not a solution by itself -- we need more than just "free" code, we also need people working to make more code reusable, modular, and accessible. By reducing the massive amounts of redundancy inherent in programming -- mostly due to legal, rather than technical, considerations, we can actually make a worthwhile investment in auditing.

    But good luck ever getting that to happen... it would require basically throwing tens of thousands of business "leaders" into a shark pit to open the door to real change. And most of middle management. And their lawyers. And the law makers and politicians. Frankly, I just don't think there's enough sharks in the ocean right now to get the job done.

    Someone needs to start breeding more sharks.

    1. AdamWill

      Re: Confuzzled Researcher

      Apport is not some random upstream project, though. It's a Canonical project specifically written for Ubuntu.

    2. Doctor Huh?

      Re: Confuzzled Researcher

      What if we attach friction' lasers to the sharks?

      1. Anonymous Coward
        Anonymous Coward

        Re: Confuzzled Researcher

        @Doctor Huh? - you'd get very sore sharks?

    3. vir

      Re: Confuzzled Researcher

      Shirley you mean "shark tank" or "snake pit"?

  2. kain preacher

    But isnt the point of open source is that you have more eye balls on the code.

    1. a_yank_lurker

      @kain preacher - potentially more eyeballs but more importantly the eyeballs can be an interested outsider.

  3. Reg Whitepaper

    I work with some really smart Python coders, but this is the kind of thing that they likely miss along with how things scale. They probably think of me as the cranky old Perl refusenik, but Taint people!

    1. AdamWill

      Er. No 'smart Python coder' should ever miss any call of eval(). Calling eval() is a gigantic code smell and absolutely any linter will complain very loudly about it. There's basically almost no good excuse for ever doing it. Doing it in a crash handler is...well...yikes.

      1. stephanh

        eval is evil

        Amen. This is something which should have done with json.dumps/json.loads.

        Note that unfortunately the built-in Python "pickle" serialization mechanism is also insecure since it allows arbitrary code to be eval-ed.

        1. AdamWill

          Re: eval is evil

          FWIW, they fixed it by switching to ast.literal_eval, which seems reasonable.

          https://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/3114

  4. el_oscuro
    FAIL

    Apport

    That shit has been such a pain in the ass that removing it is the very first thing I do with a new ubuntu installation for years:

    $ sudo apt-get remove apport

    Doesn't everyone else do this? How can they actually live with the system if they don't?

    1. GrumpyOldBloke

      Re: Apport

      I normally disable it in /etc/default/apport but removing it sounds like a better idea.

  5. Anonymous Coward
    Anonymous Coward

    Failure the Unix way...

    ... chain applications by exchanging strings with no checks and sanitizing... but the worst thing is people thinking this is sound design because in 1970 it looked a good idea... because of punched cards and line printers.

    1. Doctor Huh?

      Re: Failure the Unix way...

      Chaining applications IS very Unix-like.

      Failing to check inputs is not at all specific to an OS or architecture.

      You can blame programmers for Unix, but you cannot blame Unix for programmers.

      1. Anonymous Coward
        Anonymous Coward

        Chaining applications IS very Unix-like.

        Exactly. That's the first failure. You should call APIs with clear parameters types and parameters checking. Don't chain apps through input/output passing of strings - which nobody checks for correctness.

        It made sense in 1970 with few kilobytes of memory so code couldn't stay in memory, punched cards for writing programs, and line printers for debugging. And when security was not an issue (yet Unix systems were hacked quickly, albeit usually by people who just wanted more time and resources on the uni system to play with...)

        The other failure is Unix people that believe today it still makes sense today. So yes, I can blame Unix programmers for having their heads still stuck in 1970 sands. And can blame Unix for still teaching bad programming techniques today.

        1. Anonymous Coward
          Anonymous Coward

          Re: Chaining applications IS very Unix-like.

          Plus it's JSON.

          Lazy-arse format for lazy-arse devs who don't want to break out of their self-imposed comfy JavaScript bubble because the one reasonable format hurts so much and is so difficult to read.

          XML! USE XML!!

          Jesus Christ one would hope people would learn their stuff.

    2. Christian Berger

      Re: Failure the Unix way...

      Well one thing is true, on Unix you move those checks to the domain specific parts at the edges. So in so core of your program you don't have such checks.

      However on Unix you also try to have simple formats. Formats that are simple enough they can be parsed with only very few lines of code. If you need more complex structures you try to use multiple files aranged in directories. Inside of a file you only have line based text separated with field separators. Inside the core, where nothing is problem oriented, you only deal with lines and fields.

  6. Christian Berger

    It's the start of a new generation

    Slowly but surely we see the "Linux ecosystem" taken over by the same kind of people who took over the Windows ecosystem. People who haven't matured yet and therefore write code more complex than they can handle.

    And this is one of those examples, they believed that they can handle complex file formats by outsourcing the parsing to an already existing parser... and fail in a really bad way.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's the start of a new generation

      Well it's a direct result of the increased popularity of Linux. With all the Linux fans putting everyone's mother on Linux, it filters down. Linux used to have a wall of entry, but everyone wants it to be popular, so it needs to break down that wall.

      As it does so, then anyone can use it, and it will end up just like windows evenutally. Unless you stop these people from using Linux again.

      1. Loud Speaker

        Re: It's the start of a new generation

        Somehow I don't think my 90 year old mum is writing Linux crash dump processing code. (She is an Apple user, and has been since Apple ][).

  7. Chris Gray 1
    Thumb Down

    Flash video

    Okay, El Reg has a fun article about a security issue on Ubuntu. I run Ubuntu, so I should pay attention. But then El Reg plants a Flash video in the middle of the page... Or perhaps that shows up only because I run with Evilscript turned off? Either way, not exactly a good example!

    1. Orv Silver badge

      Re: Flash video

      Lately those videos have been making it hard for me to comment. They cause massive keyboard lag and every loop causes stuff on the page to reload and focus to be stolen from the input box.

  8. Pliny the Whiner

    Researcher Donncha O'Cearbhaill

    Yeah, like that's a real name.

    1. kain preacher

      Re: Researcher Donncha O'Cearbhaill

      https://www.linkedin.com/in/donnchaocearbhaill

  9. Vic

    Ah, FFS

    Passing downloaded content straight to eval() ?

    It's amateur hour. We're supposed to be better than this.

    Vic.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like