GNU bug report logs - #32515
Ghostscript and GNOME thumbnailing code execution vulnerabilities

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Thu, 23 Aug 2018 21:03:02 UTC

Severity: normal

Tags: security

Done: Maxime Devos <maximedevos <at> telenet.be>

Bug is archived. No further changes may be made.

Full log

Message #19 received at 32515-done <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: 32515-done <at> debbugs.gnu.org
Subject: Re: GNOME thumbnailing code execution vulnerabilities.
Date: Fri, 09 Apr 2021 15:51:21 +0200

[Message part 1 (text/plain, inline)]
Leo Famulari (26 Feb 2019) wrote:
> Since this bug was filed, Ghostscript has received more scrutiny and
> serious bugs continue to be found.

I assume you meant ‘fixed’.

> [...]
> Barring that, we should keep our package up to date

ghostscript can be updated to 9.54 (https://ghostscript.com/download/gsdnld.html).
This will require grafts due to many depending packages.
However, looking at
https://bugs.ghostscript.com/buglist.cgi?order=Bug%20Number&product=Ghostscript&query_format=advanced&resolution=---&version=9.52&version=9.53.0&version=9.53.1&version=9.53.2&version=9.53.3&version=9.54.0
it seems there are no known security vulnerabilities.

evince can be updated from 3.36.5 to 40.0 according to "guix refresh",
that would be done in https://issues.guix.gnu.org/47643  think.

> and try to make sure
> the GNOME thumbnailer and other "hidden" users of Ghostscript are run in
> containers.

The thumbnailer is run in a container, using bubblewrap and seccomp:

$ guix graph --type=references gnome-desktop
> [snip]
> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color = darkseagreen];
> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color = darkseagreen];
> [snip]

$ EDITOR=less guix edit gnome-desktop
> [snip]
> ("bubblewrap" ,bubblewrap)
> [snip]

$ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c:
> [snip]
> [an add_bwrap function with bind mounts and --unshare-all]
> [a setup_seccomp function]
> [snip]

Closing.

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 4 years and 45 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.