GNU bug report logs -
#32515
Ghostscript and GNOME thumbnailing code execution vulnerabilities
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Thu, 23 Aug 2018 21:03:02 UTC
Severity: normal
Tags: security
Done: Maxime Devos <maximedevos <at> telenet.be>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 32515 in the body.
You can then email your comments to 32515 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#32515
; Package
guix
.
(Thu, 23 Aug 2018 21:03:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Thu, 23 Aug 2018 21:03:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
In some configurations of the GNOME and KDE desktops (and maybe others),
there is a remote code execution vulnerability via the Nautilus
thumbnailing system, via Evince and Ghostscript:
"My colleague Jann Horn pointed out evince (which uses libgs, which is
affected with some tweaks to the PoC) is used to generate previews in
Nautilus, which means previews can trigger code execution (see
/usr/share/thumbnailers/evince.thumbnailer). I think it's possible to
trigger that via file automatic download in a browser just by visiting a
URL, but I haven't tested it." [0]
Our Evince package is configured with '--disable-nautilus' [1]. Does
this avoid the problem for us?
I'm not using a graphical GuixSD system so I can't test this easily. Can
someone who is using GNOME on GuixSD poke around and let us know what
they find?
Desktop thumbnailing is a convenient feature, so it would be good if it
worked safely. Apparently GNOME is able to run the thumbnailer in a
container [2]; we should try to make sure that works.
[0]
http://seclists.org/oss-sec/2018/q3/143
[1]
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gnome.scm?id=16b0e8da48ef9398797a22e274d5fcb37e24e448#n743
[2]
https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164
[signature.asc (application/pgp-signature, inline)]
Added tag(s) security.
Request was from
ludo <at> gnu.org (Ludovic Courtès)
to
control <at> debbugs.gnu.org
.
(Wed, 29 Aug 2018 20:34:02 GMT)
Full text and
rfc822 format available.
Changed bug title to '"Ghostscript and GNOME thumbnailing code execution vulnerabilities"' from 'GNOME thumbnailing code execution vulnerabilities'
Request was from
Leo Famulari <leo <at> famulari.name>
to
control <at> debbugs.gnu.org
.
(Mon, 25 Feb 2019 23:38:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#32515
; Package
guix
.
(Mon, 25 Feb 2019 23:40:02 GMT)
Full text and
rfc822 format available.
Message #12 received at 32515 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Since this bug was filed, Ghostscript has received more scrutiny and
serious bugs continue to be found.
The recommendation of the researchers seems to be to disable and remove
Ghostscript unless a Postcript interpreter is actually necessary.
Barring that, we should keep our package up to date and try to make sure
the GNOME thumbnailer and other "hidden" users of Ghostscript are run in
containers.
Is anyone willing to look into the GNOME thumbnailer?
[signature.asc (application/pgp-signature, inline)]
Changed bug title to 'Ghostscript and GNOME thumbnailing code execution vulnerabilities' from '"Ghostscript and GNOME thumbnailing code execution vulnerabilities"'
Request was from
Leo Famulari <leo <at> famulari.name>
to
control <at> debbugs.gnu.org
.
(Mon, 25 Feb 2019 23:40:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Maxime Devos <maximedevos <at> telenet.be>
:
You have taken responsibility.
(Fri, 09 Apr 2021 13:52:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>
:
bug acknowledged by developer.
(Fri, 09 Apr 2021 13:52:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 32515-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari (26 Feb 2019) wrote:
> Since this bug was filed, Ghostscript has received more scrutiny and
> serious bugs continue to be found.
I assume you meant ‘fixed’.
> [...]
> Barring that, we should keep our package up to date
ghostscript can be updated to 9.54 (https://ghostscript.com/download/gsdnld.html).
This will require grafts due to many depending packages.
However, looking at
https://bugs.ghostscript.com/buglist.cgi?order=Bug%20Number&product=Ghostscript&query_format=advanced&resolution=---&version=9.52&version=9.53.0&version=9.53.1&version=9.53.2&version=9.53.3&version=9.54.0
it seems there are no known security vulnerabilities.
evince can be updated from 3.36.5 to 40.0 according to "guix refresh",
that would be done in https://issues.guix.gnu.org/47643 think.
> and try to make sure
> the GNOME thumbnailer and other "hidden" users of Ghostscript are run in
> containers.
The thumbnailer is run in a container, using bubblewrap and seccomp:
$ guix graph --type=references gnome-desktop
> [snip]
> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color = darkseagreen];
> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color = darkseagreen];
> [snip]
$ EDITOR=less guix edit gnome-desktop
> [snip]
> ("bubblewrap" ,bubblewrap)
> [snip]
$ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c:
> [snip]
> [an add_bwrap function with bind mounts and --unshare-all]
> [a setup_seccomp function]
> [snip]
Closing.
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#32515
; Package
guix
.
(Fri, 09 Apr 2021 18:49:01 GMT)
Full text and
rfc822 format available.
Message #22 received at 32515 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Fri, Apr 09, 2021 at 03:51:21PM +0200, Maxime Devos wrote:
> Leo Famulari (26 Feb 2019) wrote:
> > Since this bug was filed, Ghostscript has received more scrutiny and
> > serious bugs continue to be found.
>
> I assume you meant ‘fixed’.
I did not mean 'fixed'. As far as I know, no work was done in Guix about
this bug.
'filed' is definitely the correct interpretation; security researchers
ignored postscript / Ghostcript for a very long time, but it became a
popular area of research a few years ago.
Basically, Ghostscript is a decades-old C codebase implementing an even
older language specification. Caveat emptor.
Unlike some other similar codebases, like OpenSSL, the situation
regarding security researchers and vulnerability disclosure has not
really improved, as far as I can tell :/
> The thumbnailer is run in a container, using bubblewrap and seccomp:
>
> $ guix graph --type=references gnome-desktop
> > [snip]
> > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color = darkseagreen];
> > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color = darkseagreen];
> > [snip]
>
> $ EDITOR=less guix edit gnome-desktop
> > [snip]
> > ("bubblewrap" ,bubblewrap)
> > [snip]
>
> $ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c:
> > [snip]
> > [an add_bwrap function with bind mounts and --unshare-all]
> > [a setup_seccomp function]
> > [snip]
>
> Closing.
Great, looks like upstream took care of it for us. There will probably
be more bugs in this area, but that's expected.
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Sat, 08 May 2021 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 347 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.