Subject: Re: Image browser
To: None <netbsd-users@NetBSD.org>
From: Christian Biere <christianbiere@gmx.de>
List: netbsd-users
Date: 08/19/2004 13:52:05
--BOKacYhQ+x31HxR3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Johnny Billquist wrote:
> On Thu, 19 Aug 2004, Christian Biere wrote:
> > graphics/xv is surely an interesting program. The reasons it is still in
> > pkgsrc are beyond me. Just an example:

> The fact that I've yet to see a smaller, more efficient program, that can
> display just about any type of image I throw at it, is reason enough to
> use it for me.

IrfanView but that's windoze only. ;) gqview isn't so bad. However, you
probably won't find something smaller and more "efficient" than xv.
Safety, sanity and security have their prizes e.g., well-known, maintained
libraries instead of doing everything on its own. And libraries add bloat
because nobody needs all that. We're approaching a point where people
don't care and hardly notice a bulky JVM - some might even be past it.
Also many of the traditional and "super-efficient" tools derive from a
time when people didn't use the internet - at least not the WWW - and
if someone wanted to exploit someone's machine he had to know him in
person and would probably need local access even.

> Show me a better one, if you can.

There's a couple of stuff in pkgsrc/graphics which is not known to
have that many bugs. Nothings completely secure or safe, of course.
You can only prove that there is something, you can't prove there
is not anything - at least the latter would be *much* more difficult
in the average case. Especially since xv is so old, I'd guess that
its bugs are widely known and exploits are at least passively used.
You probably wouldn't use it to go after someone but you might put
a picture on your web page and just wait until your little exploit
phones home or just mess a little with the victims data, whatever.
I agree that xv has a couple of features you won't find combined
in another single program e.g., setting the root window, converting
files instead of just viewing etc.
OTOH, this is exactly what other programs and OSs are blamed for -
doing too much but nothing really as good as they should.

> And the fact that you can segfault it by
> throwing junky filenames at it is not something that you'll get me to
> raise an eyebrow about.

Think again. xv uses sprintf() instead of snprintf() and it uses *a lot*
of local (stack-based) buffers with arbitrary sizes, often as low as
64 byte to hold a filename... If none of this isn't exploitable, I'd be
utmost suprised. Look, until one or two(?) years ago there format string
bug which could be exploited by using a filename containing a %. This
is not unlikely even with half-broken web clients e.g.:

	just%20some%20file.jpg

xv is not a web browser so it's not connected to the internet all the
time and there are probably easier ways to hack into one's machine.
OTOH, it's a timebomb and sooner or later it might bite you. I mean
people pissed their pants over sillier bugs.

> (I could say that honest good old programs that work right when used
> properly are much preferred to Windows-wannabee-programs but then I'd
> start a religious war as well)

> 	(Who still use tcsh, ctwm, and plain xterm windows)

I don't need or use a desktop environment either. And far too many
people write GUIs (and programs in general) with windoze in mind - simply
because that's where they come from. That's surely a disease but keepin'
it buggy just because it's elite and old-school, isn't anything to be
proud of either.

P.S.: I've actually submitted a patch for an older bug to the author
and pkgsrc. It got fixed in the latter but the author never answered,
so don't blame me for not providing a fix. It would be just a waste
of time and xv is so full of it that writing it from scratch would
be easier.

--=20
Christian

--BOKacYhQ+x31HxR3
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iD8DBQFBJJRl0KQix3oyIMcRAm9BAJ9pi/Chav43su4w8Pvf2PMOh6g67gCgvPnr
9eKAIVulJ5H7etWPTgEZ9AU=
=iPTp
-----END PGP SIGNATURE-----

--BOKacYhQ+x31HxR3--