Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?
(am I sending my emails right?? I selected "Reply All.") >> how do you guys test all of the potential PNG/JPG potential malware payloads >What's your use-case? lol funny story. I downloaded all of the github.com links ripped from the blackarch main page (~8GB worth of repositories) ANYWAYS I wanted to see the pictures...start with the fun stuff first, right? So I went: `find -type f -name '*.png' -o -name '*.jpg' -exec cp -f '{}' $SOME_DIR \;` hehe then I was like OMG what am I doing when I saw a image name called: Something like this: Parser < 7.png WHOA. my heart raced. And I was like "I'm not ready for this." So then I started imagining all of the stuff in those 1000+ PNG/JPG files that I want to view with ristretto image viewer. .and I was like: No way. No freakin' way. I deleted all of the image files and then all of the cloned github.com repositories. NOT worth viewing. I don't care if `file myfile.png` says "PNG file" lol On Mon, Jun 20, 2022 at 4:11 PM Sebastian Rose wrote: > Davide Prina writes: > > Corey H wrote: > > > >> how do you guys test all of the potential PNG/JPG potential malware > payloads > > What's your use-case? As I'm not aware of an vector for GNU/Linux in > normal everyday use¹, I guess you host files for Windows clients? > > Did anyone mention ClamAV already? If so, please ignore me (sorry for > not following closely...). > > > - Sebastian > > > ¹ One can execute every file on GNU/Linux. But the attack is that > execution of a file, not the file (otherwise we'd have to consider `rm', > `gpg', `scp', and many more malware, too). > > > -- > As I was walking down Stanton Street early one Sunday morning, I saw a > chicken a few yards ahead of me. I was walking faster than the chicken, > so I gradually caught up. By the time we approached Eighteenth Avenue, > I was close behind. The chicken turned south on Eighteenth. At the > fourth house along, it turned in at the walk, hopped up the front steps, > and rapped sharply on the metal storm door with its beak. After a > moment, the door opened and the chicken went in. > > (Linda Elegant in "True Tales of American Life") > >
Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?
I feel like ClamAV would be the cheapest and easiest solution for handling png and jpgs, But like Sebastian said it does depend on use case. There are multiple av scanners/solutions but many are paid services, I've been using clam av for my email setup and it feel like it's been sufficient. You would need to enable png/jpeg extensions for ClamAV if that would be your plan and some sort of sandboxed environment for clamav/imagemagick iirc. P.S I've just subscribed to this list, so please excuse me if i repeated any information as I can't see this whole email thread. Shubo On 6/20/2022 12:10 PM, Sebastian Rose wrote: Davide Prina writes: Corey H wrote: how do you guys test all of the potential PNG/JPG potential malware payloads What's your use-case? As I'm not aware of an vector for GNU/Linux in normal everyday use¹, I guess you host files for Windows clients? Did anyone mention ClamAV already? If so, please ignore me (sorry for not following closely...). - Sebastian ¹ One can execute every file on GNU/Linux. But the attack is that execution of a file, not the file (otherwise we'd have to consider `rm', `gpg', `scp', and many more malware, too).
Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?
On Mon, Jun 20, 2022 at 09:25:38AM -0700, Noah Meyerhans wrote: > https://security-tracker.debian.org/tracker/source-package/imagemagick > > If you're processing data (images, videos, audio files, etc) from > unknown sources, it's a really good idea to use sandboxing of some kind, > ensure that sandboxes are never reused, and to ensure that only the most > minimal state possible (e.g. the output of the processing job) is > preserved after execution. The sandbox can use things like seccomp and > apparmor to enforce containment. Linux namespaces are useful as well: A > private network namespace that doesn't have access to the outside world, > a private mount namespace that has a unique root file system (ideally > read-only), etc. > > Containers, as implemented by podman, docker, and systemd-container can > help here by providing convenient interfaces to these process isolation > tools. Sorry, hit send before I mean to. The above is all about protecting against new, unknown issues for which the mitigation isn't known. For protection against known issues, of course, you should simply make sure you're running up-to-date versions of all your software. noah
Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?
On Mon, Jun 20, 2022 at 06:10:45PM +0200, Sebastian Rose wrote: > >> how do you guys test all of the potential PNG/JPG potential malware > >> payloads > > What's your use-case? As I'm not aware of an vector for GNU/Linux in > normal everyday use¹, I guess you host files for Windows clients? https://security-tracker.debian.org/tracker/source-package/imagemagick If you're processing data (images, videos, audio files, etc) from unknown sources, it's a really good idea to use sandboxing of some kind, ensure that sandboxes are never reused, and to ensure that only the most minimal state possible (e.g. the output of the processing job) is preserved after execution. The sandbox can use things like seccomp and apparmor to enforce containment. Linux namespaces are useful as well: A private network namespace that doesn't have access to the outside world, a private mount namespace that has a unique root file system (ideally read-only), etc. Containers, as implemented by podman, docker, and systemd-container can help here by providing convenient interfaces to these process isolation tools. noah
Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?
Davide Prina writes: > Corey H wrote: > >> how do you guys test all of the potential PNG/JPG potential malware payloads What's your use-case? As I'm not aware of an vector for GNU/Linux in normal everyday use¹, I guess you host files for Windows clients? Did anyone mention ClamAV already? If so, please ignore me (sorry for not following closely...). - Sebastian ¹ One can execute every file on GNU/Linux. But the attack is that execution of a file, not the file (otherwise we'd have to consider `rm', `gpg', `scp', and many more malware, too). -- As I was walking down Stanton Street early one Sunday morning, I saw a chicken a few yards ahead of me. I was walking faster than the chicken, so I gradually caught up. By the time we approached Eighteenth Avenue, I was close behind. The chicken turned south on Eighteenth. At the fourth house along, it turned in at the walk, hopped up the front steps, and rapped sharply on the metal storm door with its beak. After a moment, the door opened and the chicken went in. (Linda Elegant in "True Tales of American Life")
[SECURITY] [DSA 5166-1] slurm-wlm security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5166-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 20, 2022 https://www.debian.org/security/faq - - Package: slurm-wlm CVE ID : CVE-2022-29500 CVE-2022-29501 Debian Bug : 1010633 1010634 Two security issues were discovered in the Simple Linux Utility for Resource Management (SLURM), a cluster resource management and job scheduling system, which could result in privilege escalation. For the stable distribution (bullseye), these problems have been fixed in version 20.11.7+really20.11.4-2+deb11u1. We recommend that you upgrade your slurm-wlm packages. For the detailed security status of slurm-wlm please refer to its security tracker page at: https://security-tracker.debian.org/tracker/slurm-wlm Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmKwRj0ACgkQEMKTtsN8 TjbV3g/8DV4kpbjRrWuI9H3wP+g0RV55cjr3kMAyjRTyGEDOTaISQdCov9dKGtUT RWOR+XCar+cDR54fPrSGbB9vi4m3bZeo/4YeVyo2B3DTsAiHo595t5eF7m/z6mub XHtSwDDoseMQSV+DJ7SBCr4edmJzDUp2HxCW6KHNKFQkwHyWg3NOdS9LkTT6aJOk 54D5qKpIdzO04xdaLau+rgbDyz0LMDkn++XeUVAvKo5DBfiJzgOaGV2GhyzL6DWo FD2cQ7UQQ4a/RQsIQm2NSq2IC1u1l40vBUyNn+ZRxwvmv1XSDbQpScpvwFa9X0E/ JfKUpbv0QJCb6HbqBtD4I+tV+Yd/RvOQl2TVcNL8hzLpwCuhRyDbKCVKXMtOpeji +JKROGH7uoPnTq3VvBDA9G5dIL8d54sVWIY5AJ2jxNOWMIsNpVIxgaieWiMlx4xV fZQd5YyMWBvpBUFystqNlb4t4Fbu/IPi7X/cDbz6DFsZXq/+BDFG+1PGoNYanxHS Lv6iRoPKzC+iKKq4zk4wYCK7xuROuOqi5w1uOxTyriuLL1SgQQcQZmyhvNdZDRFC yLUELrLxCUViUuWk9QQlSbscraYZ/YVo7LwFOOe70HHVdSS41HORjXrY7V1dR7hO A0f5nVWUx/p+788Fa/KWsxb7zeVZd9mij5zfp4IyZhMpgGFAev8= =kFp/ -END PGP SIGNATURE-
[SECURITY] [DSA 5165-1] vlc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5165-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 20, 2022 https://www.debian.org/security/faq - - Package: vlc CVE ID : not yet available Multiple vulnerabilities were discovered in the VLC media player, which could result in the execution of arbitrary code or denial of service if a malformed file is opened. For the oldstable distribution (buster), this problem has been fixed in version 3.0.17.4-0+deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 3.0.17.4-0+deb11u1. We recommend that you upgrade your vlc packages. For the detailed security status of vlc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/vlc Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmKwRjcACgkQEMKTtsN8 TjaWHRAAo7JX2Cl7dsY++UxmCWi8JEdhlzfaL/k7m3coORLQSoWxLvpdap7qnrFj C2xt/iD/svK/zSWHPsvMTYvhrH1bzfkS3yf6XhCW2HE4Q3tIx1OYDCdnjOurMD8A pJ6TyCXQHLM67Fie1Pf7R5kXlPM83UZMDrnH8gcHBp6GKi13Fj/0CFDdnDT2OXhy x+o/Nepl47fIkagbSPggDWy4pKeOElFppWuGqtzLJAwQy7+A79p+W0YRPg5ykTGK l+dqIPDbj4ERZ0h7tizueJkDTHTwgpnexgfH3N+wbcyQja5XJaGQhl93uHR5OV2o ecZaad0lOchj6WEbztU1SeY/c5RZk1Hbknmocn+ghTx+6baUf20uJxJoA6ki86v/ YQ8LAQOA/SwcA/akS0tC5BNNnMVgqktWX9zdgidRNuhjcGLYjSN75oBD5i1x9qZu oZHlqIUWL5ynut7FG0cIXzFgM9QH60O1ewFbW0w5Sz4dvHPLaM0iMMWTdFskwEjT nn3pozqiHoJjZJIs825TDYf+BSd0lUSTdKpY5CNU+yC3yN14gHUYl/3aIvZL7284 GzD1cxUUXMj0rK2LENkR+KYIf8ZcmnBsTslqGjJtzfUTcBFVG9h3+9/rmiVX/QeW Z2/mNBDHjzpEut2G2hTmMqssDB7FgeaqamZ8YQZKGnulY1O5rho= =I7KP -END PGP SIGNATURE-
External check
CVE-2021-37404: TODO: check CVE-2022-1836: RESERVED CVE-2022-32250: TODO: check with MITRE, duplicate of now as well assigned CVE-2022-1966 -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.