Game-music-emu exploit in Ubuntu

Is Your Linux Secure? Check Out Whether A Newly Found Vulnerability Affects Your Distro

Updated 18 Dec, 2016

A  security hole found in Fedora 25 and Ubuntu 16.04 (and possibly in many other Linux distributions) can potentially manipulate users data.

By manipulate I mean an attacker could either steal, delete, modify or do all of these actions together, with relative ease, to the precious files stored on your PC.

The exploit which was discovered recently by security researcher Chris Evans[1], makes use of a game music emulation library pulled in by the Gstreamer media framework in order to provide support for playing music files of consoles such as Nintendo, Game Boy and others.

In reality it means that if you opted for mp3 support while installing Ubuntu or have later on enabled that support then your desktop is probably under the risk of the herein vulnerability.

Fedora users on the other hand, have little extra circle of security as the distribution maintainers split the relevant package (gstreamer1-plugins-bad) into multiple packages thus having the vulnerable part lie under gstreamer1-plugins-bad-free-extras package which a user would be automatically offered to install anyway upon trying to play a relevant file – .flac in this case.

So, Fedora users aren’t really safer after all.

How To Tell If I’m Affected?

As a proof of concept, Evans – the security researcher who found the hole, has developed a demo that makes gnome-calc on Fedora and xcalc on Ubuntu to launch automatically when you try to play his demo file. Mind you, an attacker could’ve use it to do far nastier things than just opening a calculator.

So, to see if you’re affected you may try the demo files downloadable at the bottom of the article. Other than that you can also search the packages that installed on your desktop and see whether game-music-emu or libgme as it’s called on some distros is one of them.

According to game-music-emu page, the current version (0.6.1) still haven’t addressed the vulnerabilities though they are aware of them at the moment.

Moreover Chris Evans himself has offered a patch. So unless further complications will be found it’s probably safe to assume that the package itself will be shortly secured. Hopefully the Linux distro you’re using will incorporate it soon after as well.


Lastly, check out the video demonstration showing the exploit in action:

Test on Fedora (change file extension to .flac)   Test on Ubuntu (Change file extension to .mp3)

The comment section is temporarily closed due to remodeling.