GNU bug report logs -
#32515
Ghostscript and GNOME thumbnailing code execution vulnerabilities
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Thu, 23 Aug 2018 21:03:02 UTC
Severity: normal
Tags: security
Done: Maxime Devos <maximedevos <at> telenet.be>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your bug report
#32515: Ghostscript and GNOME thumbnailing code execution vulnerabilities
which was filed against the guix package, has been closed.
The explanation is attached below, along with your original report.
If you require more details, please reply to 32515 <at> debbugs.gnu.org.
--
32515: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=32515
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
Leo Famulari (26 Feb 2019) wrote:
> Since this bug was filed, Ghostscript has received more scrutiny and
> serious bugs continue to be found.
I assume you meant ‘fixed’.
> [...]
> Barring that, we should keep our package up to date
ghostscript can be updated to 9.54 (https://ghostscript.com/download/gsdnld.html).
This will require grafts due to many depending packages.
However, looking at
https://bugs.ghostscript.com/buglist.cgi?order=Bug%20Number&product=Ghostscript&query_format=advanced&resolution=---&version=9.52&version=9.53.0&version=9.53.1&version=9.53.2&version=9.53.3&version=9.54.0
it seems there are no known security vulnerabilities.
evince can be updated from 3.36.5 to 40.0 according to "guix refresh",
that would be done in https://issues.guix.gnu.org/47643 think.
> and try to make sure
> the GNOME thumbnailer and other "hidden" users of Ghostscript are run in
> containers.
The thumbnailer is run in a container, using bubblewrap and seccomp:
$ guix graph --type=references gnome-desktop
> [snip]
> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color = darkseagreen];
> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color = darkseagreen];
> [snip]
$ EDITOR=less guix edit gnome-desktop
> [snip]
> ("bubblewrap" ,bubblewrap)
> [snip]
$ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c:
> [snip]
> [an add_bwrap function with bind mounts and --unshare-all]
> [a setup_seccomp function]
> [snip]
Closing.
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
[Message part 6 (text/plain, inline)]
In some configurations of the GNOME and KDE desktops (and maybe others),
there is a remote code execution vulnerability via the Nautilus
thumbnailing system, via Evince and Ghostscript:
"My colleague Jann Horn pointed out evince (which uses libgs, which is
affected with some tweaks to the PoC) is used to generate previews in
Nautilus, which means previews can trigger code execution (see
/usr/share/thumbnailers/evince.thumbnailer). I think it's possible to
trigger that via file automatic download in a browser just by visiting a
URL, but I haven't tested it." [0]
Our Evince package is configured with '--disable-nautilus' [1]. Does
this avoid the problem for us?
I'm not using a graphical GuixSD system so I can't test this easily. Can
someone who is using GNOME on GuixSD poke around and let us know what
they find?
Desktop thumbnailing is a convenient feature, so it would be good if it
worked safely. Apparently GNOME is able to run the thumbnailer in a
container [2]; we should try to make sure that works.
[0]
http://seclists.org/oss-sec/2018/q3/143
[1]
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gnome.scm?id=16b0e8da48ef9398797a22e274d5fcb37e24e448#n743
[2]
https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 4 years and 45 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.