patching...
So, the good folks working on Ubuntu will have patches for my computer in a day or two.
My phone, however, will quite possibly never get a patch (over 2 years old).
Anyone know how patches for Ubuntu phones are handled?
PNG pongs: critical bug patched in ubiquitous libpng
This will not be fun: the graphics processing library libpng has a vulnerability and needs to be patched. The problem for that is that libpng is everywhere – in browsers, anything that processes photos to produce thumbnails, file browsers, music players, in applications in every operating system. The bug is a simple denial-of …
-
This post has been deleted by its author
-
-
-
-
Monday 16th November 2015 13:31 GMT Anonymous Coward
Re: News?
Well, on systems that don't handle multiple versions of global libraries very well ("DLL hell"), developers tend to statically link libraries in with their own executable. Especially insignificant ones like libpng. Therefore, libpng becomes part of their application rather than an external library.
Now good luck identifying which proprietary applications use libpng, and then getting them to fixed their software.
-
-
-
-
Monday 16th November 2015 17:37 GMT John Brown (no body)
Re: So all those eyeballs missed another one?
"If this was Windows"...you'd get an anonymous "fix" "next Tuesday", (but which month?) that may or may not let you know that your system was more vulnerable than usual for the last n months
And "bigot?" You don't know what that word means if you think it applies here.
-
Tuesday 17th November 2015 08:59 GMT Anonymous Bullard
Re: So all those eyeballs missed another one?
So how is open source more secure again? How do all those extra eyes for testing work?
Huh? The bug was found, a fix was made before the announcement, everyone can see exactly where the bug was and can learn from it. That's open source working its magic. The extra eyeballs spotted something.
If it were proprietary, the bug would still exist. Those few with access to the source code are too busy implementing new features to audit old code - they might not even have the skills to. The only way for an outsider to spot that bug would be to reverse engineer the binary and the vast majority of people who are motivated enough to do that don't do it for the benefit of the community.
And let's say someone with good intentions did raise the alarm... how soon would a patch be made? Would it even be made public (in fear of bad PR)?
In this instance, the extra eyes have just done their job. The more eyes mean more bugs found, resulting in the product being more secure as time moves on. How can someone potentially in the IT industry be naive enough to mock that?
Another point, I bet there is plenty of proprietary software out there that has libpng statically linked (the library is embedded in the executable). How are we supposed to identify which applications, and who's going to fix it?
[side note: Even Microsoft have started to realise the strength of open source]
-
-
-
Tuesday 17th November 2015 09:13 GMT Anonymous Coward
Re: In everything?
"Why would software hard code an external library into itself?"
Ease of deployment.
Consider operating systems that don't have a central software repository or a working shared library environment. When deploying to these platforms, your installation routine can't just say "Hey, I need libpng - make it so!". So, you either bundle the library with yours (requiring more baggage), or just glue it to your exe and forget about it.
-
Biting the hand that feeds IT
