From unknown Mon Aug 18 04:43:24 2025 X-Loop: help-debbugs@gnu.org Subject: bug#32515: GNOME thumbnailing code execution vulnerabilities Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 23 Aug 2018 21:03:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 32515 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 32515@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.153505813327593 (code B ref -1); Thu, 23 Aug 2018 21:03:02 +0000 Received: (at submit) by debbugs.gnu.org; 23 Aug 2018 21:02:13 +0000 Received: from localhost ([127.0.0.1]:59149 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fswk9-0007Ay-AM for submit@debbugs.gnu.org; Thu, 23 Aug 2018 17:02:13 -0400 Received: from eggs.gnu.org ([208.118.235.92]:46037) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fswk7-0007Ak-5M for submit@debbugs.gnu.org; Thu, 23 Aug 2018 17:02:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fswk1-0007eL-1t for submit@debbugs.gnu.org; Thu, 23 Aug 2018 17:02:05 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:37684) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fswk0-0007eG-Tl for submit@debbugs.gnu.org; Thu, 23 Aug 2018 17:02:04 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38772) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fswjz-0004IN-Tt for bug-guix@gnu.org; Thu, 23 Aug 2018 17:02:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fswju-0007dA-Qx for bug-guix@gnu.org; Thu, 23 Aug 2018 17:02:03 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:43995) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fswjt-0007cc-OX for bug-guix@gnu.org; Thu, 23 Aug 2018 17:01:58 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id C69D221DF0; Thu, 23 Aug 2018 17:01:54 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Thu, 23 Aug 2018 17:01:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=r2P2qEa4SPTXOJ fOHXe/vmsnj04tpl4xgVk7f0qL9fI=; b=XgYR5pcUCMdtoI/wkMJWNBF5QZ4wW/ u9p1v/Nntaj46i4NVde7GHOQdt2e51MlnCC43NmN1z972JoEtVRG86b2DMqrNqqE MwgLKzPfCo1QedUH28BKRAqOvGOJrwmFhEM0plGDIGByxr+gtB3ImYzqX9Cx7rIa pEkDlv12uZo2w= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; bh=r2P2qEa4SPTXOJfOHXe/vmsnj04tpl4xgVk7f0qL9fI=; b=dNKeZNix euwZtovUBymqJQRlnlnH7PDEZbyLByoDmVtjEF14ltziez17NAdrE+91Q8xoMRPu qNUxBaMzbtSR3cWOv+9+sGgGyJl1HWLq2kaG1mEVTWRIm0rdT/VcU2GpG7lC2jGl +8pffG2aSYtnV8419PxJLSUKTOlzDwDYQZjtVpLcBjBKd4O8C2tYcpHAEMdFENF6 glw0lNp9P5ctDgLR06DKvd7avJo1xDw7zOy+HwJ4KK7GweQ/lR0DJKv2JJ/lB52+ xcR/fzfHbMRev7vI10JvUYr0CXI4Fd6859D17Nx8VIIkQ7iw3ja+I3imXsFwPzGZ Kf2OrqsEZAemCg== X-ME-Proxy: X-ME-Sender: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 1EF551028A for ; Thu, 23 Aug 2018 17:01:52 -0400 (EDT) Date: Thu, 23 Aug 2018 17:01:51 -0400 From: Leo Famulari Message-ID: <20180823210151.GA18406@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft" Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.1 (-----) --/04w6evG8XlLl3ft Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In some configurations of the GNOME and KDE desktops (and maybe others), there is a remote code execution vulnerability via the Nautilus thumbnailing system, via Evince and Ghostscript: "My colleague Jann Horn pointed out evince (which uses libgs, which is affected with some tweaks to the PoC) is used to generate previews in Nautilus, which means previews can trigger code execution (see /usr/share/thumbnailers/evince.thumbnailer). I think it's possible to trigger that via file automatic download in a browser just by visiting a URL, but I haven't tested it." [0] Our Evince package is configured with '--disable-nautilus' [1]. Does this avoid the problem for us? I'm not using a graphical GuixSD system so I can't test this easily. Can someone who is using GNOME on GuixSD poke around and let us know what they find? Desktop thumbnailing is a convenient feature, so it would be good if it worked safely. Apparently GNOME is able to run the thumbnailer in a container [2]; we should try to make sure that works. [0] http://seclists.org/oss-sec/2018/q3/143 [1] https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gnome.scm?id=16b0e8da48ef9398797a22e274d5fcb37e24e448#n743 [2] https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164 --/04w6evG8XlLl3ft Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlt/IL8ACgkQJkb6MLrK fwiTzw/9HVEKINE7zPl1QmZomYvT6Z/g6royQDgkcmRWAJS4riUwDH41BclSkE+u v+pOWkx+icXK8HLt+dkmBWVecieswRx/idnNGUZpvjprFoj30yxPhnpc9nbTeM1R xIr2d9vEyLJHd+FbDanmDFqxKdp7/U5Imn+XYhI73Y2Zoq8R40jr+7lVht4Qfgjd J7Fl9OG7Puy78vfQVc9XhxYNmOhzNt7bZncECVhLfwLTUVmZf86oD5KaMg11wpOP nLBMO863gVKJXPU/F7H1hfUq03AezaPZSAXCQr7d9lvteMbQwp1+PMoKhHIWF1ro fjXyth9+UNXbv1IDM+Oiv9VfVpjApitfypFAcLL5QfGuqsknZtHNtDoIDavuBekP eAhODq1eK4oiNyxL0to8lHMaUy+ZVNJ98c6ig89rRsthpMaQVbS27t5vsqm3bZuP PmnfrKEgfQP8z3kPVNjySExY1prIbH+r1O4FFXwMjpxfc+SJ564+sE0qPnDrYnNy LLX3cB6ExQ4VTUd9ChPe+0oCcyUCA1ng1SULMki4JjeMeZdmbK55En4lmiB3PoP7 aQXdjhgRSmVDAOCs+DrG45HJUHWiRENvK++CWpaSG6WW1VllvSoqD/GaPTc8PATT Rz84QjcG/Hag4AfEIDkMQMoN8IHbNYa/FGwRrT3SGH7hsH+TP7E= =FEkj -----END PGP SIGNATURE----- --/04w6evG8XlLl3ft-- From debbugs-submit-bounces@debbugs.gnu.org Wed Aug 29 16:33:52 2018 Received: (at control) by debbugs.gnu.org; 29 Aug 2018 20:33:52 +0000 Received: from localhost ([127.0.0.1]:37464 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fv7A0-0002N6-EI for submit@debbugs.gnu.org; Wed, 29 Aug 2018 16:33:52 -0400 Received: from eggs.gnu.org ([208.118.235.92]:59585) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fv79x-0002Mq-U9 for control@debbugs.gnu.org; Wed, 29 Aug 2018 16:33:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fv79r-0004ae-VT for control@debbugs.gnu.org; Wed, 29 Aug 2018 16:33:44 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:57694) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fv79r-0004aH-Qd for control@debbugs.gnu.org; Wed, 29 Aug 2018 16:33:43 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=43676 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1fv79q-0005TV-AN for control@debbugs.gnu.org; Wed, 29 Aug 2018 16:33:43 -0400 Date: Wed, 29 Aug 2018 22:33:41 +0200 Message-Id: <871sagap5m.fsf@gnu.org> To: control@debbugs.gnu.org From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: control message for bug #32515 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) tags 32515 security From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 25 18:37:41 2019 Received: (at control) by debbugs.gnu.org; 25 Feb 2019 23:37:41 +0000 Received: from localhost ([127.0.0.1]:51875 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gyPob-000243-DB for submit@debbugs.gnu.org; Mon, 25 Feb 2019 18:37:41 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:47907) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gyPoZ-00023q-EC for control@debbugs.gnu.org; Mon, 25 Feb 2019 18:37:39 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 8959121CFC; Mon, 25 Feb 2019 18:37:33 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 25 Feb 2019 18:37:33 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:message-id:mime-version:content-type; s=mesmtp; bh=siVvlmXtm+9wSRzq2fkPvTp+XJWL69k2fetK1ilJEeg=; b=ijqToXPY5x34 O5uqxAQPPJiRq9R4OSYsX9ESeE0LTwinFbMAVjpJLu7kH6F+qsLDgzIhjgk/1+N5 OsPcCfbXxG9CaJB+x2VMsqZN4YznODlu6eQ6OhEQgV4zevhMM/bPdKACGZScd+7M i+CnI8YQ8pwvj/wYjGUR7HH7qqGhRNA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=siVvlmXtm+9wSRzq2fkPvTp+XJWL69k2fetK1ilJE eg=; b=bb15SA1VW3pc3h4tGCLzb8OegttHAne5GngwjvjyG7WauJvcnapy0XA1F s3d0RUOC/iTUFFfkmWaVBTeAu7rrrNxJ9OyudPLzWHZ5Wf/7NuoiYxSv0gfU6Qtq G4Cb5pMUgn3ryhehDpxjIz9g7EQGV+dmTKyZnAwAclRbpr4HuQBNeoepvVUNncXg M1N8goptYS5XkksxdofiGDT5yrevb+cBg/fPpewDz0GqpgR/CjmycX23B6CVnX/z Nw2iyWV3KpNJUZviEd/tjQ4au+y+MlkHVB4cRuL6nYTA7P+v+BgP/wzUYceYsx+Q S3yFDXoX/29JlzBHec8JuvXl3etqg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrudekgdduvdculddtuddrgedtledrtddtmd cutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthen uceurghilhhouhhtmecufedttdenucfgmhhpthihuchsuhgsjhgvtghtucdluddtmdenuc fjughrpeffhffvkfggtggufgesthdtredttdervdenucfhrhhomhepnfgvohcuhfgrmhhu lhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecukfhppeejiedruddvge drvddtvddrudefjeenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgr rhhirdhnrghmvgenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id B6DF3E4519 for ; Mon, 25 Feb 2019 18:37:31 -0500 (EST) Date: Mon, 25 Feb 2019 18:37:30 -0500 From: Leo Famulari To: control@debbugs.gnu.org Message-ID: <20190225233730.GA16892@jasmine.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.11.3 (2019-02-01) X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: retitle 32515 "Ghostscript and GNOME thumbnailing code execution vulnerabilities" Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: famulari.name] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [66.111.4.26 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) retitle 32515 "Ghostscript and GNOME thumbnailing code execution vulnerabilities" From unknown Mon Aug 18 04:43:24 2025 X-Loop: help-debbugs@gnu.org Subject: bug#32515: GNOME thumbnailing code execution vulnerabilities References: <20180823210151.GA18406@jasmine.lan> In-Reply-To: <20180823210151.GA18406@jasmine.lan> Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 25 Feb 2019 23:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 32515 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 32515@debbugs.gnu.org Received: via spool by 32515-submit@debbugs.gnu.org id=B32515.15511379598113 (code B ref 32515); Mon, 25 Feb 2019 23:40:02 +0000 Received: (at 32515) by debbugs.gnu.org; 25 Feb 2019 23:39:19 +0000 Received: from localhost ([127.0.0.1]:51881 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gyPqA-00026n-QY for submit@debbugs.gnu.org; Mon, 25 Feb 2019 18:39:19 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:48785) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gyPq8-00026Z-Pv for 32515@debbugs.gnu.org; Mon, 25 Feb 2019 18:39:17 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 9BE8622336; Mon, 25 Feb 2019 18:39:11 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 25 Feb 2019 18:39:11 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=ccCptbPCBOGYlMGf2+fwoNbn9fFQvcjHQi3RLRPnvMA=; b=Ciwjl 9nb5+ZTjIkDVkd1bv7bGwgtMiDH4bAlIXoQmvpuWZhsqsOTkB47PQfSU2onn6dx5 0RFNMzDatJarjC+PJxk3FYMa/6ZCp+sIVLj9WiF5ggQwVAXVjLdwCq0df4/AVz7B Xeo6YSxSm8yh5UkC3xUPfaThRiJCFm4W1kj5Mw= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=ccCptbPCBOGYlMGf2+fwoNbn9fFQv cjHQi3RLRPnvMA=; b=wPZ8Da3FxPi8LmRlSRtoETIk+PrnaS39ZwLX80fo5vja4 NBUK6xQ+0Sb25MovZiig+38qmUkg/EAAODs3z9iMiJhvTa7SStEb2bB2EfMikKQ1 bIKAEHm12nq9b5OuVu0zFDMpfG+EGSjpDyQc/bizrNnJGRFdFowVkXSCRkdb6r6I WORvAfDvcR+9uOfyYGIpcuwh9y6ElLcXcOBRHa1bgx3DHIHYVzE1lMe0EmDwJf87 dZ/CfNQ+oa1KeWYa6SkP7Ey2ZWEdvIQ8t9C9jk1FMIzg3WvgZlbSBESJ5U/8Uxao 6QN0gbchWjHyRd66R7XrVwgXaGNu3BQtWhoCX8hLg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrudekgdduvdculddtuddrgedtledrtddtmd cutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtuggfsehgtderre dtredvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucfkphepjeeirdduvdegrddvtddvrddufeejnecurfgrrhgrmhepmh grihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgvnecuvehluhhsthgvrhfu ihiivgeptd X-ME-Proxy: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 47BF1E425A for <32515@debbugs.gnu.org>; Mon, 25 Feb 2019 18:39:07 -0500 (EST) Date: Mon, 25 Feb 2019 18:39:06 -0500 From: Leo Famulari Message-ID: <20190225233906.GA16808@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Kj7319i9nmIyA2yE" Content-Disposition: inline User-Agent: Mutt/1.11.3 (2019-02-01) X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Since this bug was filed, Ghostscript has received more scrutiny and serious bugs continue to be found. The recommendation of the researchers seems to be to disable and remove Ghostscript unless a Postcript interpreter is actually necessary. Barring that, we should keep our package up to date and try to make sure the GNOME thumbnailer and other "hidden" users of Ghostscript are run in containers. Is anyone willing to look into the GNOME thumbnailer? --Kj7319i9nmIyA2yE Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlx0fJoACgkQJkb6MLrK fwhtJhAA6BTLJaWa9YBrWBEUJ+3EMZrOYPro0BTDSpoTHPJ8rHE8Ux+8rBoJMXPb T6zGNquqqAenrv77RTddmKUUPtPig9jCEOr7jjx6tgV0fU7GjpOp+WSv7VsTz5gZ EnFVKo7fnf6tymZ87Anca7bCFT0PewLrcsVKPAcX7WMCO5jll1kLQ8k1zRQLk1Hh 4+iAzP35XxhBih8D/tfbRf0CboW+47IR7awVLS5W5InXVpeAVR0p/wltrKhp9Egx Cnp8GcxR5LUBzzcLcPrdrAsOtDM/x5ak4R81wzty9b1u66/4cUyQCF+RAaHcjj8p GIBaO4rUgXMk3PB4JZNIRO4JloD5djp6CZhjVfjACZbP6OgFPF3Dp1mF1neuMHrW bcyCNU5PQMnDzqK0sPhFwAxRds8MXFH9PofWE90lwrwgXXrv+a8oMydJ+62UWulD 4dyKUV1MgZMJ2H7n4hyEBiC0RHIwtROjTZmHCFH4ZkQ/24h8OKZofvjSr6Ec4ffe yhzKwjHSk4IKj9jTYNVs9MRKRMdBR87gvAxvVRm3lAwXhTrJg/oZNQqNXT4iNA50 SupiuyaOJRciNQgaSSJhBlxn9lehzTeQIZsksnY/u/LBG5IZn0KZtq2D6BMROYNA /NaXXIBUBieA+EMaE0Kbb5BY1z+vMzY5kGej1Rfksuoh1LzFiUY= =XooQ -----END PGP SIGNATURE----- --Kj7319i9nmIyA2yE-- From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 25 18:39:47 2019 Received: (at control) by debbugs.gnu.org; 25 Feb 2019 23:39:47 +0000 Received: from localhost ([127.0.0.1]:51885 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gyPqd-00027V-4P for submit@debbugs.gnu.org; Mon, 25 Feb 2019 18:39:47 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:51601) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gyPqa-00027E-Uz for control@debbugs.gnu.org; Mon, 25 Feb 2019 18:39:45 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id B15B521E07; Mon, 25 Feb 2019 18:39:39 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Mon, 25 Feb 2019 18:39:39 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:message-id:mime-version:content-type; s=mesmtp; bh=Kd/nDw+svm78Uicu/T/Ymy5q9A437XpVBr6kxFxhdRY=; b=AGd2lLAGqd2z GfZgj1qcOY4zhFOr1/eNJH/il8T5r/3lf3vO6P8D0wMP8c7vDUtZc1VrZhBzwH2U l+Y8o5gpmTcAQEuHni8Fh1i8tJBCFgpiVNA5hMhxHm0b5MuJumb9JZYeNA35ahig 39M9fJUlYID/znQi41NySyFMaTjJZaM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=Kd/nDw+svm78Uicu/T/Ymy5q9A437XpVBr6kxFxhd RY=; b=a04kBIyc1ppxbLd1Im92k4tM2I0aI5t7vdnPen6yiUTcuMyPzQ9zkoHEt 3Ztrqbg/GmWNVeLEe/91VcESftBBR4c6cpL0dbRhSNJMZ++7dX3oeKDI7hDNo5kn NntJNa//22GbpZBmmSkv/bXZiWmFLMF6oO3o1yY8UdBvzJIqvsrz4QZg5+joQ9ME Dqwu6ySFxcqhVAdiWcoTqmgxhuATEpTriO2yTBCWAMQIOvpK5ywCeuUrQY1Z/uwA 4F0q7TheLgmr0anZx5E7aWUOS3M14VxNcP2aCVUrbWAYUEYzwikyZAGWKtAeGoUz s4pxhrkMVoY2Lu42vlU1D/Fa1S0xA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrudekgdduvdculddtuddrgedtledrtddtmd cutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthen uceurghilhhouhhtmecufedttdenucfgmhhpthihuchsuhgsjhgvtghtucdluddtmdenuc fjughrpeffhffvkfggtggufgesthdtredttdervdenucfhrhhomhepnfgvohcuhfgrmhhu lhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecukfhppeejiedruddvge drvddtvddrudefjeenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgr rhhirdhnrghmvgenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 3ACCE10310 for ; Mon, 25 Feb 2019 18:39:39 -0500 (EST) Date: Mon, 25 Feb 2019 18:39:38 -0500 From: Leo Famulari To: control@debbugs.gnu.org Message-ID: <20190225233938.GA17000@jasmine.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.11.3 (2019-02-01) X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: retitle 32515 Ghostscript and GNOME thumbnailing code execution vulnerabilities Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: famulari.name] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [66.111.4.26 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) retitle 32515 Ghostscript and GNOME thumbnailing code execution vulnerabilities From unknown Mon Aug 18 04:43:24 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Leo Famulari Subject: bug#32515: closed (Re: GNOME thumbnailing code execution vulnerabilities.) Message-ID: References: <20180823210151.GA18406@jasmine.lan> X-Gnu-PR-Message: they-closed 32515 X-Gnu-PR-Package: guix X-Gnu-PR-Keywords: security Reply-To: 32515@debbugs.gnu.org Date: Fri, 09 Apr 2021 13:52:01 +0000 Content-Type: multipart/mixed; boundary="----------=_1617976321-27326-1" This is a multi-part message in MIME format... ------------=_1617976321-27326-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #32515: Ghostscript and GNOME thumbnailing code execution vulnerabilities which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 32515@debbugs.gnu.org. --=20 32515: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D32515 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1617976321-27326-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 32515-done) by debbugs.gnu.org; 9 Apr 2021 13:51:27 +0000 Received: from localhost ([127.0.0.1]:49290 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUrXi-00075e-PO for submit@debbugs.gnu.org; Fri, 09 Apr 2021 09:51:27 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:33898) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUrXg-00075U-2n for 32515-done@debbugs.gnu.org; Fri, 09 Apr 2021 09:51:25 -0400 Received: from butterfly.local ([213.251.114.97]) by baptiste.telenet-ops.be with bizsmtp id qdrN240022695yl01drN5E; Fri, 09 Apr 2021 15:51:22 +0200 Message-ID: Subject: Re: GNOME thumbnailing code execution vulnerabilities. From: Maxime Devos To: 32515-done@debbugs.gnu.org Date: Fri, 09 Apr 2021 15:51:21 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-HESCUA2I2uthSkmtDnd+" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617976282; bh=yaruMxj+OYjtAxoMPvt58lnLhXqPTlOD6FMDuE6ZOGc=; h=Subject:From:To:Date; b=Yq5hCtTLTwEytd6MaIUz98tqM+9b2URidMHUPDK2r6YuPcGHuCIdp0lREI2WIBAOJ mUStdYqcWOcBH7l6nsdOv25J22cbECFRRFI9z9XIxNUCWysd2v9/zD5TuC08lUyqxc ZYiuFHAPNj3nFVFlWKDGDq6Cj3iLceOGaa2ELa5330onsfpTLTQWPebAfrGsZN+CWo 3iAGY0H3QvwUu3JC33OGA+wWkhkHVkPfcI13ufn7BxPN8VyAV5sxAHALANaW7wnlAp +UNIvaUj5S4u4968DS7kaX5+SztvN+CjWdeguBqCcqigCM15TqUCh4C2JTmSkiQh/d NDGKkK4jCwoKA== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 32515-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-HESCUA2I2uthSkmtDnd+ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Leo Famulari (26 Feb 2019) wrote: > Since this bug was filed, Ghostscript has received more scrutiny and > serious bugs continue to be found. I assume you meant =E2=80=98fixed=E2=80=99. > [...] > Barring that, we should keep our package up to date ghostscript can be updated to 9.54 (https://ghostscript.com/download/gsdnld= .html). This will require grafts due to many depending packages. However, looking at https://bugs.ghostscript.com/buglist.cgi?order=3DBug%20Number&product=3DGho= stscript&query_format=3Dadvanced&resolution=3D---&version=3D9.52&version=3D= 9.53.0&version=3D9.53.1&version=3D9.53.2&version=3D9.53.3&version=3D9.54.0 it seems there are no known security vulnerabilities. evince can be updated from 3.36.5 to 40.0 according to "guix refresh", that would be done in https://issues.guix.gnu.org/47643 think. > and try to make sure > the GNOME thumbnailer and other "hidden" users of Ghostscript are run in > containers. The thumbnailer is run in a container, using bubblewrap and seccomp: $ guix graph --type=3Dreferences gnome-desktop > [snip] > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/g= nu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color =3D dark= seagreen]; > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/g= nu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color =3D dark= seagreen]; > [snip] $ EDITOR=3Dless guix edit gnome-desktop > [snip] > ("bubblewrap" ,bubblewrap) > [snip] $ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c: > [snip] > [an add_bwrap function with bind mounts and --unshare-all] > [a setup_seccomp function] > [snip] Closing. Greetings, Maxime. --=-HESCUA2I2uthSkmtDnd+ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYHBb2RccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7p0FAQDt1/k2GEcZVc80i3MaOqVCq7xq Sd3Le1hiG8vFBvmEawD7BbBFGSmp32JIX3RJrPBG/6bjpAfkK7wfNFjZs+JOcg4= =2IaK -----END PGP SIGNATURE----- --=-HESCUA2I2uthSkmtDnd+-- ------------=_1617976321-27326-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 23 Aug 2018 21:02:13 +0000 Received: from localhost ([127.0.0.1]:59149 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fswk9-0007Ay-AM for submit@debbugs.gnu.org; Thu, 23 Aug 2018 17:02:13 -0400 Received: from eggs.gnu.org ([208.118.235.92]:46037) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fswk7-0007Ak-5M for submit@debbugs.gnu.org; Thu, 23 Aug 2018 17:02:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fswk1-0007eL-1t for submit@debbugs.gnu.org; Thu, 23 Aug 2018 17:02:05 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:37684) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fswk0-0007eG-Tl for submit@debbugs.gnu.org; Thu, 23 Aug 2018 17:02:04 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38772) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fswjz-0004IN-Tt for bug-guix@gnu.org; Thu, 23 Aug 2018 17:02:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fswju-0007dA-Qx for bug-guix@gnu.org; Thu, 23 Aug 2018 17:02:03 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:43995) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fswjt-0007cc-OX for bug-guix@gnu.org; Thu, 23 Aug 2018 17:01:58 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id C69D221DF0; Thu, 23 Aug 2018 17:01:54 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Thu, 23 Aug 2018 17:01:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=r2P2qEa4SPTXOJ fOHXe/vmsnj04tpl4xgVk7f0qL9fI=; b=XgYR5pcUCMdtoI/wkMJWNBF5QZ4wW/ u9p1v/Nntaj46i4NVde7GHOQdt2e51MlnCC43NmN1z972JoEtVRG86b2DMqrNqqE MwgLKzPfCo1QedUH28BKRAqOvGOJrwmFhEM0plGDIGByxr+gtB3ImYzqX9Cx7rIa pEkDlv12uZo2w= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; bh=r2P2qEa4SPTXOJfOHXe/vmsnj04tpl4xgVk7f0qL9fI=; b=dNKeZNix euwZtovUBymqJQRlnlnH7PDEZbyLByoDmVtjEF14ltziez17NAdrE+91Q8xoMRPu qNUxBaMzbtSR3cWOv+9+sGgGyJl1HWLq2kaG1mEVTWRIm0rdT/VcU2GpG7lC2jGl +8pffG2aSYtnV8419PxJLSUKTOlzDwDYQZjtVpLcBjBKd4O8C2tYcpHAEMdFENF6 glw0lNp9P5ctDgLR06DKvd7avJo1xDw7zOy+HwJ4KK7GweQ/lR0DJKv2JJ/lB52+ xcR/fzfHbMRev7vI10JvUYr0CXI4Fd6859D17Nx8VIIkQ7iw3ja+I3imXsFwPzGZ Kf2OrqsEZAemCg== X-ME-Proxy: X-ME-Sender: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 1EF551028A for ; Thu, 23 Aug 2018 17:01:52 -0400 (EDT) Date: Thu, 23 Aug 2018 17:01:51 -0400 From: Leo Famulari To: bug-guix@gnu.org Subject: GNOME thumbnailing code execution vulnerabilities Message-ID: <20180823210151.GA18406@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft" Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.1 (-----) --/04w6evG8XlLl3ft Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In some configurations of the GNOME and KDE desktops (and maybe others), there is a remote code execution vulnerability via the Nautilus thumbnailing system, via Evince and Ghostscript: "My colleague Jann Horn pointed out evince (which uses libgs, which is affected with some tweaks to the PoC) is used to generate previews in Nautilus, which means previews can trigger code execution (see /usr/share/thumbnailers/evince.thumbnailer). I think it's possible to trigger that via file automatic download in a browser just by visiting a URL, but I haven't tested it." [0] Our Evince package is configured with '--disable-nautilus' [1]. Does this avoid the problem for us? I'm not using a graphical GuixSD system so I can't test this easily. Can someone who is using GNOME on GuixSD poke around and let us know what they find? Desktop thumbnailing is a convenient feature, so it would be good if it worked safely. Apparently GNOME is able to run the thumbnailer in a container [2]; we should try to make sure that works. [0] http://seclists.org/oss-sec/2018/q3/143 [1] https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gnome.scm?id=16b0e8da48ef9398797a22e274d5fcb37e24e448#n743 [2] https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164 --/04w6evG8XlLl3ft Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlt/IL8ACgkQJkb6MLrK fwiTzw/9HVEKINE7zPl1QmZomYvT6Z/g6royQDgkcmRWAJS4riUwDH41BclSkE+u v+pOWkx+icXK8HLt+dkmBWVecieswRx/idnNGUZpvjprFoj30yxPhnpc9nbTeM1R xIr2d9vEyLJHd+FbDanmDFqxKdp7/U5Imn+XYhI73Y2Zoq8R40jr+7lVht4Qfgjd J7Fl9OG7Puy78vfQVc9XhxYNmOhzNt7bZncECVhLfwLTUVmZf86oD5KaMg11wpOP nLBMO863gVKJXPU/F7H1hfUq03AezaPZSAXCQr7d9lvteMbQwp1+PMoKhHIWF1ro fjXyth9+UNXbv1IDM+Oiv9VfVpjApitfypFAcLL5QfGuqsknZtHNtDoIDavuBekP eAhODq1eK4oiNyxL0to8lHMaUy+ZVNJ98c6ig89rRsthpMaQVbS27t5vsqm3bZuP PmnfrKEgfQP8z3kPVNjySExY1prIbH+r1O4FFXwMjpxfc+SJ564+sE0qPnDrYnNy LLX3cB6ExQ4VTUd9ChPe+0oCcyUCA1ng1SULMki4JjeMeZdmbK55En4lmiB3PoP7 aQXdjhgRSmVDAOCs+DrG45HJUHWiRENvK++CWpaSG6WW1VllvSoqD/GaPTc8PATT Rz84QjcG/Hag4AfEIDkMQMoN8IHbNYa/FGwRrT3SGH7hsH+TP7E= =FEkj -----END PGP SIGNATURE----- --/04w6evG8XlLl3ft-- ------------=_1617976321-27326-1-- From unknown Mon Aug 18 04:43:24 2025 X-Loop: help-debbugs@gnu.org Subject: bug#32515: GNOME thumbnailing code execution vulnerabilities. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 09 Apr 2021 18:49:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 32515 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 32515@debbugs.gnu.org, maximedevos@telenet.be Received: via spool by 32515-submit@debbugs.gnu.org id=B32515.161799410323848 (code B ref 32515); Fri, 09 Apr 2021 18:49:01 +0000 Received: (at 32515) by debbugs.gnu.org; 9 Apr 2021 18:48:23 +0000 Received: from localhost ([127.0.0.1]:50904 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUwB5-0006Ca-JS for submit@debbugs.gnu.org; Fri, 09 Apr 2021 14:48:23 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:35511) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUwB4-0006CN-Io for 32515@debbugs.gnu.org; Fri, 09 Apr 2021 14:48:22 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 6880B5C0106; Fri, 9 Apr 2021 14:48:17 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Fri, 09 Apr 2021 14:48:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=JYClHokHTAPgI6ZhXE5nrMhC MRkgzHQpKy6vIabAf9I=; b=M2Du+BSTnqZCCDZmEJGs6ISQGkBUPcCveLZTGZ1u PkkeRaCCZFXVDGCFy/LgAAzBy2tiTk2E3ffN9fGoxEaoVfoI+uTnlxZ9lhkDfMyk Yjyzy5yKPltziGWK01rQUV+E9CdaZ0IWHt+RqRWgoJwtL9W9OkmHQeI635DWrSIj 42E= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=JYClHo kHTAPgI6ZhXE5nrMhCMRkgzHQpKy6vIabAf9I=; b=NG4X9AL6S4ZT6wKlJg4hb+ J2ZLCi61/85o1P5r5Hat1/6G05zmAGBOuf+ZktGA0sGPYbsnLF2ZZsFIgLeLTEHB e5M+gAt4ID3X547eeXNPaAh18z95qMM+20qo2AD7xOheePBlZ2VaGY8YZ/9wlNVD swJPtqG5eu4at00miX6T+XnS+sGrDN/+8SNXEAaKCMj3jQnVbhpTR2THkuJCJZM0 DrnjCTLz9ekryyz5QuLzZUXDKoBlISvdLdbC4OuD4dw7+zaez/wUyKWyWZZrXMgt HN1GNsfjaybrpYN2w6hZyF6p5rkiZxY5IVqsrZsk6ZGlOUqgb2GgDMgxgWaEsxcg == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudekuddgudeffecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehgtd erredttdejnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeeigffhfeeftdffkeevkedttdeike efffeltdfgveekkeetueeftdefhfeghfekfeenucfkphepuddttddruddurdduieelrddu udeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplh gvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id F329C24005C; Fri, 9 Apr 2021 14:48:16 -0400 (EDT) Date: Fri, 9 Apr 2021 14:48:15 -0400 From: Leo Famulari Message-ID: References: <20180823210151.GA18406@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7HoWTw7M1b5Wcc2d" Content-Disposition: inline In-Reply-To: X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --7HoWTw7M1b5Wcc2d Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 09, 2021 at 03:51:21PM +0200, Maxime Devos wrote: > Leo Famulari (26 Feb 2019) wrote: > > Since this bug was filed, Ghostscript has received more scrutiny and > > serious bugs continue to be found. >=20 > I assume you meant =E2=80=98fixed=E2=80=99. I did not mean 'fixed'. As far as I know, no work was done in Guix about this bug. 'filed' is definitely the correct interpretation; security researchers ignored postscript / Ghostcript for a very long time, but it became a popular area of research a few years ago. Basically, Ghostscript is a decades-old C codebase implementing an even older language specification. Caveat emptor. Unlike some other similar codebases, like OpenSSL, the situation regarding security researchers and vulnerability disclosure has not really improved, as far as I can tell :/ > The thumbnailer is run in a container, using bubblewrap and seccomp: >=20 > $ guix graph --type=3Dreferences gnome-desktop > > [snip] > > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "= /gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color =3D da= rkseagreen]; > > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "= /gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color =3D da= rkseagreen]; > > [snip] >=20 > $ EDITOR=3Dless guix edit gnome-desktop > > [snip] > > ("bubblewrap" ,bubblewrap) > > [snip] >=20 > $ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c: > > [snip] > > [an add_bwrap function with bind mounts and --unshare-all] > > [a setup_seccomp function] > > [snip] >=20 > Closing. Great, looks like upstream took care of it for us. There will probably be more bugs in this area, but that's expected. --7HoWTw7M1b5Wcc2d Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBwoW8ACgkQJkb6MLrK fwgMtA//cxmmI7e3DXnzcioZkeySyQQDUUsYIPZeoW2wtLEe/IZeiW2GiIsRxLJc Fuixs62HDnnp6fKir2KVaUCPuE9d+m8xVhsU4/1CfzMUT0d9QXFjeQHYZK4GCTCf DNVMrS82UeK4ihExQjyqbrJAdASRq2j3eC6n2vf1i6V0xv41+i0hR7UhonOtBb3o +AKkZR0XFH63E4s6GPIOIaOTzgdxiyla2zKzJFBquad2FmvtvA/5GpOkKRzLRpBC dlA4Mm/i9mt4eq/HpI4welfiyNE/J+4O2P+z5/WXPkPXbUGr1lGZ3ZhKGx7Akf++ tKcb8ygu1lXYslm6njRSWQMifSJKoJ0EVTfBNKU7hY8IrgYpJEuskTH9gwucgVZC clDMrt5aYEKxQazeF/wWR+KcjnfsVQ1NhKXkRxQOAvLFLABefBdi8/+LUEyoZKOa X6tap6nVnvwUbWn4hZ4G5ypWX1RjXDUn2b8cwrV8lfVIxaRxoyOOVcPYRjGZORQZ f/DptDeS2sW/xrsbJDiUphSgSF+Xh88ccBeub1NFMP1aO2r1ZYXrwBVebdMPIF4i n8SlYGgIqRq2orVeXgqx6Xnsm8v5o8Oeq146TclPuR+6MkG/znfase74HlWOH1pA 7YjcKeFlC5ew99LVJR1Hfd5RIvA9dqF/9jnABW3qtILeNRGVuE8= =qp0B -----END PGP SIGNATURE----- --7HoWTw7M1b5Wcc2d--