Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?

2022-06-20 Thread Corey H 
(am I sending my emails right?? I selected "Reply All.")
>> how do you guys test all of the potential PNG/JPG potential malware
payloads
>What's your use-case?

lol funny story.
I downloaded all of the github.com links ripped from the blackarch main
page (~8GB worth of repositories)
ANYWAYS

I wanted to see the pictures...start with the fun stuff first,
right?

So I went: `find -type f -name '*.png' -o -name '*.jpg' -exec cp -f '{}'
$SOME_DIR \;`

hehe then I was like OMG what am I doing when I saw a image name called:
Something like this:
Parser < 7.png
WHOA. my heart raced.
And I was like "I'm not ready for this."

So then I started imagining all of the stuff in those 1000+ PNG/JPG files
that I want to view with ristretto image viewer.
.and I was like: No way. No freakin' way.
I deleted all of the image files and then all of the cloned github.com
repositories.
NOT worth viewing.
I don't care if `file myfile.png` says "PNG file"
lol

On Mon, Jun 20, 2022 at 4:11 PM Sebastian Rose 
wrote:

> Davide Prina  writes:
> > Corey H wrote:
> >
> >> how do you guys test all of the potential PNG/JPG potential malware
> payloads
>
> What's your use-case? As I'm not aware of an vector for GNU/Linux in
> normal everyday use¹, I guess you host files for Windows clients?
>
> Did anyone mention ClamAV already? If so, please ignore me (sorry for
> not following closely...).
>
>
>  - Sebastian
>
>
> ¹ One can execute every file on GNU/Linux. But the attack is that
> execution of a file, not the file (otherwise we'd have to consider `rm',
> `gpg', `scp', and many more malware, too).
>
>
> --
> As I was walking down Stanton Street early one Sunday morning, I saw a
> chicken a few yards ahead of me.  I was walking faster than the chicken,
> so I gradually caught up.  By the time we approached Eighteenth Avenue,
> I was close behind.  The chicken turned south on Eighteenth.  At the
> fourth house along, it turned in at the walk, hopped up the front steps,
> and rapped sharply on the metal storm door with its beak. After a
> moment, the door opened and the chicken went in.
>
>   (Linda Elegant in "True Tales of American Life")
>
>

Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?

2022-06-20 Thread Shubo 
I feel like ClamAV would be the cheapest and easiest solution for 
handling png and jpgs, But like Sebastian said it does depend on use 
case. There are multiple av scanners/solutions but many are paid 
services, I've been using clam av for my email setup and it feel like 
it's been sufficient. You would need to enable png/jpeg extensions for 
ClamAV if that would be your plan and some sort of sandboxed environment 
for clamav/imagemagick iirc.



P.S I've just subscribed to this list, so please excuse me if i repeated 
any information as I can't see this whole email thread.



 Shubo

On 6/20/2022 12:10 PM, Sebastian Rose wrote:

Davide Prina  writes:

Corey H wrote:


how do you guys test all of the potential PNG/JPG potential malware payloads

What's your use-case? As I'm not aware of an vector for GNU/Linux in
normal everyday use¹, I guess you host files for Windows clients?

Did anyone mention ClamAV already? If so, please ignore me (sorry for
not following closely...).


  - Sebastian


¹ One can execute every file on GNU/Linux. But the attack is that
execution of a file, not the file (otherwise we'd have to consider `rm',
`gpg', `scp', and many more malware, too).

Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?

2022-06-20 Thread Noah Meyerhans 
On Mon, Jun 20, 2022 at 09:25:38AM -0700, Noah Meyerhans wrote:
> https://security-tracker.debian.org/tracker/source-package/imagemagick
> 
> If you're processing data (images, videos, audio files, etc) from
> unknown sources, it's a really good idea to use sandboxing of some kind,
> ensure that sandboxes are never reused, and to ensure that only the most
> minimal state possible (e.g. the output of the processing job) is
> preserved after execution.  The sandbox can use things like seccomp and
> apparmor to enforce containment.  Linux namespaces are useful as well: A
> private network namespace that doesn't have access to the outside world,
> a private mount namespace that has a unique root file system (ideally
> read-only), etc.
> 
> Containers, as implemented by podman, docker, and systemd-container can
> help here by providing convenient interfaces to these process isolation
> tools.

Sorry, hit send before I mean to.  The above is all about protecting
against new, unknown issues for which the mitigation isn't known.  For
protection against known issues, of course, you should simply make sure
you're running up-to-date versions of all your software.

noah

Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?

2022-06-20 Thread Noah Meyerhans 
On Mon, Jun 20, 2022 at 06:10:45PM +0200, Sebastian Rose wrote:
> >> how do you guys test all of the potential PNG/JPG potential malware 
> >> payloads
> 
> What's your use-case? As I'm not aware of an vector for GNU/Linux in
> normal everyday use¹, I guess you host files for Windows clients?

https://security-tracker.debian.org/tracker/source-package/imagemagick

If you're processing data (images, videos, audio files, etc) from
unknown sources, it's a really good idea to use sandboxing of some kind,
ensure that sandboxes are never reused, and to ensure that only the most
minimal state possible (e.g. the output of the processing job) is
preserved after execution.  The sandbox can use things like seccomp and
apparmor to enforce containment.  Linux namespaces are useful as well: A
private network namespace that doesn't have access to the outside world,
a private mount namespace that has a unique root file system (ideally
read-only), etc.

Containers, as implemented by podman, docker, and systemd-container can
help here by providing convenient interfaces to these process isolation
tools.

noah

Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?

2022-06-20 Thread Sebastian Rose 
Davide Prina  writes:
> Corey H wrote:
>
>> how do you guys test all of the potential PNG/JPG potential malware payloads

What's your use-case? As I'm not aware of an vector for GNU/Linux in
normal everyday use¹, I guess you host files for Windows clients?

Did anyone mention ClamAV already? If so, please ignore me (sorry for
not following closely...).


 - Sebastian


¹ One can execute every file on GNU/Linux. But the attack is that
execution of a file, not the file (otherwise we'd have to consider `rm',
`gpg', `scp', and many more malware, too).


-- 
As I was walking down Stanton Street early one Sunday morning, I saw a
chicken a few yards ahead of me.  I was walking faster than the chicken,
so I gradually caught up.  By the time we approached Eighteenth Avenue,
I was close behind.  The chicken turned south on Eighteenth.  At the
fourth house along, it turned in at the walk, hopped up the front steps,
and rapped sharply on the metal storm door with its beak. After a
moment, the door opened and the chicken went in.

  (Linda Elegant in "True Tales of American Life")

[SECURITY] [DSA 5166-1] slurm-wlm security update

2022-06-20 Thread Moritz Muehlenhoff 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-5166-1   secur...@debian.org
https://www.debian.org/security/   Moritz Muehlenhoff
June 20, 2022 https://www.debian.org/security/faq
- -

Package: slurm-wlm
CVE ID : CVE-2022-29500 CVE-2022-29501
Debian Bug : 1010633 1010634

Two security issues were discovered in the Simple Linux Utility for
Resource Management (SLURM), a cluster resource management and job
scheduling system, which could result in privilege escalation.

For the stable distribution (bullseye), these problems have been fixed in
version 20.11.7+really20.11.4-2+deb11u1.

We recommend that you upgrade your slurm-wlm packages.

For the detailed security status of slurm-wlm please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/slurm-wlm

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmKwRj0ACgkQEMKTtsN8
TjbV3g/8DV4kpbjRrWuI9H3wP+g0RV55cjr3kMAyjRTyGEDOTaISQdCov9dKGtUT
RWOR+XCar+cDR54fPrSGbB9vi4m3bZeo/4YeVyo2B3DTsAiHo595t5eF7m/z6mub
XHtSwDDoseMQSV+DJ7SBCr4edmJzDUp2HxCW6KHNKFQkwHyWg3NOdS9LkTT6aJOk
54D5qKpIdzO04xdaLau+rgbDyz0LMDkn++XeUVAvKo5DBfiJzgOaGV2GhyzL6DWo
FD2cQ7UQQ4a/RQsIQm2NSq2IC1u1l40vBUyNn+ZRxwvmv1XSDbQpScpvwFa9X0E/
JfKUpbv0QJCb6HbqBtD4I+tV+Yd/RvOQl2TVcNL8hzLpwCuhRyDbKCVKXMtOpeji
+JKROGH7uoPnTq3VvBDA9G5dIL8d54sVWIY5AJ2jxNOWMIsNpVIxgaieWiMlx4xV
fZQd5YyMWBvpBUFystqNlb4t4Fbu/IPi7X/cDbz6DFsZXq/+BDFG+1PGoNYanxHS
Lv6iRoPKzC+iKKq4zk4wYCK7xuROuOqi5w1uOxTyriuLL1SgQQcQZmyhvNdZDRFC
yLUELrLxCUViUuWk9QQlSbscraYZ/YVo7LwFOOe70HHVdSS41HORjXrY7V1dR7hO
A0f5nVWUx/p+788Fa/KWsxb7zeVZd9mij5zfp4IyZhMpgGFAev8=
=kFp/
-END PGP SIGNATURE-

[SECURITY] [DSA 5165-1] vlc security update

2022-06-20 Thread Moritz Muehlenhoff 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-5165-1   secur...@debian.org
https://www.debian.org/security/   Moritz Muehlenhoff
June 20, 2022 https://www.debian.org/security/faq
- -

Package: vlc
CVE ID : not yet available

Multiple vulnerabilities were discovered in the VLC media player, which
could result in the execution of arbitrary code or denial of service if
a malformed file is opened.

For the oldstable distribution (buster), this problem has been fixed
in version 3.0.17.4-0+deb10u1.

For the stable distribution (bullseye), this problem has been fixed in
version 3.0.17.4-0+deb11u1.

We recommend that you upgrade your vlc packages.

For the detailed security status of vlc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/vlc

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmKwRjcACgkQEMKTtsN8
TjaWHRAAo7JX2Cl7dsY++UxmCWi8JEdhlzfaL/k7m3coORLQSoWxLvpdap7qnrFj
C2xt/iD/svK/zSWHPsvMTYvhrH1bzfkS3yf6XhCW2HE4Q3tIx1OYDCdnjOurMD8A
pJ6TyCXQHLM67Fie1Pf7R5kXlPM83UZMDrnH8gcHBp6GKi13Fj/0CFDdnDT2OXhy
x+o/Nepl47fIkagbSPggDWy4pKeOElFppWuGqtzLJAwQy7+A79p+W0YRPg5ykTGK
l+dqIPDbj4ERZ0h7tizueJkDTHTwgpnexgfH3N+wbcyQja5XJaGQhl93uHR5OV2o
ecZaad0lOchj6WEbztU1SeY/c5RZk1Hbknmocn+ghTx+6baUf20uJxJoA6ki86v/
YQ8LAQOA/SwcA/akS0tC5BNNnMVgqktWX9zdgidRNuhjcGLYjSN75oBD5i1x9qZu
oZHlqIUWL5ynut7FG0cIXzFgM9QH60O1ewFbW0w5Sz4dvHPLaM0iMMWTdFskwEjT
nn3pozqiHoJjZJIs825TDYf+BSd0lUSTdKpY5CNU+yC3yN14gHUYl/3aIvZL7284
GzD1cxUUXMj0rK2LENkR+KYIf8ZcmnBsTslqGjJtzfUTcBFVG9h3+9/rmiVX/QeW
Z2/mNBDHjzpEut2G2hTmMqssDB7FgeaqamZ8YQZKGnulY1O5rho=
=I7KP
-END PGP SIGNATURE-

External check

2022-06-20 Thread Security Tracker 
CVE-2021-37404: TODO: check
CVE-2022-1836: RESERVED
CVE-2022-32250: TODO: check with MITRE, duplicate of now as well assigned 
CVE-2022-1966
--
The output might be a bit terse, but the above ids are known elsewhere,
check the references in the tracker. The second part indicates the status
of that id in the tracker at the moment the script was run.