[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#32515: GNOME thumbnailing code execution vulnerabilities.
|
From: |
Leo Famulari |
|
Subject: |
bug#32515: GNOME thumbnailing code execution vulnerabilities. |
|
Date: |
Fri, 9 Apr 2021 14:48:15 -0400 |
On Fri, Apr 09, 2021 at 03:51:21PM +0200, Maxime Devos wrote:
> Leo Famulari (26 Feb 2019) wrote:
> > Since this bug was filed, Ghostscript has received more scrutiny and
> > serious bugs continue to be found.
>
> I assume you meant ‘fixed’.
I did not mean 'fixed'. As far as I know, no work was done in Guix about
this bug.
'filed' is definitely the correct interpretation; security researchers
ignored postscript / Ghostcript for a very long time, but it became a
popular area of research a few years ago.
Basically, Ghostscript is a decades-old C codebase implementing an even
older language specification. Caveat emptor.
Unlike some other similar codebases, like OpenSSL, the situation
regarding security researchers and vulnerability disclosure has not
really improved, as far as I can tell :/
> The thumbnailer is run in a container, using bubblewrap and seccomp:
>
> $ guix graph --type=references gnome-desktop
> > [snip]
> > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" ->
> > "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color =
> > darkseagreen];
> > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" ->
> > "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color =
> > darkseagreen];
> > [snip]
>
> $ EDITOR=less guix edit gnome-desktop
> > [snip]
> > ("bubblewrap" ,bubblewrap)
> > [snip]
>
> $ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c:
> > [snip]
> > [an add_bwrap function with bind mounts and --unshare-all]
> > [a setup_seccomp function]
> > [snip]
>
> Closing.
Great, looks like upstream took care of it for us. There will probably
be more bugs in this area, but that's expected.
signature.asc
Description: PGP signature