I've been given said 0-day link several times by friends (what can I say, we sysadmins get handed cute things). Despite the technical inaccuracies about the NES described in the article, I do find it "neat". However, the most telling part of the article -- for me -- was this:
Quote:
While at first glance, this “patch” would appear to remove functionality, it does not. Your wonderful NSF files will still play. WTF? Would you believe that Ubuntu 12 and 14 ship not one but two different code bases for playing NSF files? That’s a lot of code for a very fringe format. The second NSF player is based on libgme and does not appear to have the vulnerabilities of the first.
Situation seems easy enough to me to rectify: the maintainer of the relevant package needs to remove NSF support. Sadly, the article does not bother to actually track down what specific Ubuntu package is responsible for
libgstnsf.so (
Ubuntu package names are horrific); apparently output from
dpkg -S /usr/lib/x86_64-linux-gnu/gstreamer-0.10/libgstnsf.so was just too hard. From what I can determine, Ubuntu 12.x and 14.x has
some kind of "bad plugins list" and
libgstnsf.so falls under that category. The package is called
gstreamer0.10-plugins-bad (i386 has its own as well). I don't know why this package isn't installed or used by the reporter (the Ubuntu folks need to look into why that is).
Blindly removing a file on the system which is installed by a package
is not how you solve this problem properly; yes, it will work as a very crappy "last resort" workaround, but it's laughable (especially when called "a patch") -- come any kind of package management involving that package, the shared library in question will be reinstalled. I really expect more from the author of the article who has
a good history of being a quality security analyst. The way you solve this problem is by figuring out what package is responsible for its installation, then talking to the Ubuntu folks by filing a ticket. Both Ubuntu 12.x and 14.x LTS
are still actively supported (this issue DOES classify as a "maintenance update").