Re: C file recoginzed as image file

[Chris Moore]

Richard Stallman <address@hidden> writes:

> There are two different possible ways to exploit such a bug:
>
> 1. Ways that operate directly on the file system, for which it
> makes no difference from which program the library is run.

This is the way that would almost certainly be used.

> If the virus works in the former way, it could do the same harm if you
> display the image with qiv.

Imagine that 'image' is called mymode.txt.  I would never think of
displaying it with qiv.  As far as I know, it's a text file, so I open
it in Emacs.  I might open it in vi (but that wouldn't display it as
an image) or maybe gedit (and that wouldn't, either).  I might use
'less' or 'cat' (if it was little).  They would both be safe, too.
Emacs is the only program I know which both:
  * I would consider using to open a .txt file and
  * would display it as an image without warning if it was a disguised
    image file.

Incidentally, I hadn't heard of qiv before, but I just installed it to
see what how it works.  It refuses to display images which are
disguised as .txt files:

  address@hidden:/tmp$ qiv foo.jpg                [image displays]
  address@hidden:/tmp$ cp foo.jpg foo.txt
  address@hidden:/tmp$ qiv foo.txt
  qiv: cannot load any images.
  qiv (Quick Image Viewer) v2.0
  Usage: qiv [options] files ...
  See 'man qiv' or type 'qiv --help' for options.
  address@hidden:/tmp$ 

This is sensible behaviour.  Displaying foo.txt as an image without
warning the user first isn't sensible, IMHO.

> Protecting Emacs would be like stuffing insulation in the crack
> under the door while the window is wide open.  Such exploits have to
> be blocked, and avoided, in the libraries concerned.

They are being.  Maybe the image libraries are all perfectly secure
now.  But just as we are still finding new bugs in Emacs after 30
years, I really don't think we've seen the last image library
vulnerability yet.

> 1. Validate the image data before calling the library (or better, in
> the library).

The libraries do take steps to validate the image data, but since they
are written and maintained by human beings, they are prone to contain
errors.

> 2. Have Emacs run the library in a separate program rather than in
> its own address space.  This reduces the Emacs case to the qiv case.

I don't think we need to worry about specific attacks against Emacs.

> It is not clear to me what the answer to that question is.  It is
> about the magnitude of X/Y where X and Y are both getting large.

When I used to run Windows, I ran a virus scanner.  It would scan
every executable file before writing it to disk and before running it,
and every few days it would scan around 200,000 files on my hard disk.
I ran it for over a year.  In all that time it only found and blocked
one virus.

In this case X/Y is 1/30,000,000 or so.  Was it worth wasting all that
time scanning 29,999,999 clean files to prevent just one virus being
installed?  What price is the average user willing to pay to prevent
having their keypresses logged and transferred to a stranger, or to
prevent their Internet banking details being stolen?