[GTALUG] why I like shared libraries -- no longer a popular position
mwilson at Vex.Net
mwilson at Vex.Net
Sat Sep 23 03:22:42 EDT 2023
> <https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/>
>
> A bug was found (painfully -- a zero day) in Apple's Safari and
> (separately) in Google's Chrome. This is a pretty serious bug -- it was
> used to spy on an opposition politician in Egypt.
>
> It is the same bug, and this was not reported.
>
> It turns out that the bug is in libwebp. "WebP codec is a library to
> encode and decode images in WebP format."
>
> libwebp is used in a lot of programs. On my Fedora 38 system, it is a
> shared library so it can be fixed in one update. Except where the library
> is copied (for example, statically linked, or used in a container of some
> sort).
>
> Electron is one thing that requires copies and the article lists a lot of
> applications built on Electron
>
> What a mess. What a mistake.
By shared libraries you dont mean libsomething.so, right? You mean
everybody in the world using code they got from Somebody.
Im just a little worried these days about the new .avif format.
ImageMagick handles it in the Debian12 distribution, but it hasnt made it
to the current Raspberry Pi OS. A libavif exists, but seems to be
controversial and hard to find.
Everybodys choice of fallback seems to be libheif. libheif depends on
libde265. libde265 is said to have no dependencies, but wouldnt (IIRC)
install without finding something involving SSL2. Finally, ImageMagick
was built, but libheif wont actually do anything without a separate
codec, which it can obtain from libaom. The libaom from a Google git
site throws up fatal compile errors. So there I am.
So the question arose in my mind What the heck IS this stuff?
Since its 3AM and my mind is freewheeling I ponder If I were a
well-funded system attacker, dont new image file formats look like a fine
way to get everybody to install brand new kind-of-obscure library code
(libaom.so on Debian12 is 5 megabytes) without asking embarrassing
questions?
More information about the talk
mailing list