[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#32515: GNOME thumbnailing code execution vulnerabilities
From: |
Leo Famulari |
Subject: |
bug#32515: GNOME thumbnailing code execution vulnerabilities |
Date: |
Thu, 23 Aug 2018 17:01:51 -0400 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
In some configurations of the GNOME and KDE desktops (and maybe others),
there is a remote code execution vulnerability via the Nautilus
thumbnailing system, via Evince and Ghostscript:
"My colleague Jann Horn pointed out evince (which uses libgs, which is
affected with some tweaks to the PoC) is used to generate previews in
Nautilus, which means previews can trigger code execution (see
/usr/share/thumbnailers/evince.thumbnailer). I think it's possible to
trigger that via file automatic download in a browser just by visiting a
URL, but I haven't tested it." [0]
Our Evince package is configured with '--disable-nautilus' [1]. Does
this avoid the problem for us?
I'm not using a graphical GuixSD system so I can't test this easily. Can
someone who is using GNOME on GuixSD poke around and let us know what
they find?
Desktop thumbnailing is a convenient feature, so it would be good if it
worked safely. Apparently GNOME is able to run the thumbnailer in a
container [2]; we should try to make sure that works.
[0]
http://seclists.org/oss-sec/2018/q3/143
[1]
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gnome.scm?id=16b0e8da48ef9398797a22e274d5fcb37e24e448#n743
[2]
https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164
signature.asc
Description: PGP signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#32515: GNOME thumbnailing code execution vulnerabilities,
Leo Famulari <=