GNU bug report logs - #32515
Ghostscript and GNOME thumbnailing code execution vulnerabilities

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Leo Famulari <leo@HIDDEN>; Keywords: security; dated Thu, 23 Aug 2018 21:03:02 UTC; Maintainer for guix is bug-guix@HIDDEN.
Changed bug title to 'Ghostscript and GNOME thumbnailing code execution vulnerabilities' from '"Ghostscript and GNOME thumbnailing code execution vulnerabilities"' Request was from Leo Famulari <leo@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 32515 <at> debbugs.gnu.org:


Received: (at 32515) by debbugs.gnu.org; 25 Feb 2019 23:39:19 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Feb 25 18:39:19 2019
Received: from localhost ([127.0.0.1]:51881 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gyPqA-00026n-QY
	for submit <at> debbugs.gnu.org; Mon, 25 Feb 2019 18:39:19 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:48785)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1gyPq8-00026Z-Pv
 for 32515 <at> debbugs.gnu.org; Mon, 25 Feb 2019 18:39:17 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 9BE8622336;
 Mon, 25 Feb 2019 18:39:11 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute4.internal (MEProxy); Mon, 25 Feb 2019 18:39:11 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:subject:message-id:mime-version:content-type; s=
 mesmtp; bh=ccCptbPCBOGYlMGf2+fwoNbn9fFQvcjHQi3RLRPnvMA=; b=Ciwjl
 9nb5+ZTjIkDVkd1bv7bGwgtMiDH4bAlIXoQmvpuWZhsqsOTkB47PQfSU2onn6dx5
 0RFNMzDatJarjC+PJxk3FYMa/6ZCp+sIVLj9WiF5ggQwVAXVjLdwCq0df4/AVz7B
 Xeo6YSxSm8yh5UkC3xUPfaThRiJCFm4W1kj5Mw=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm2; bh=ccCptbPCBOGYlMGf2+fwoNbn9fFQv
 cjHQi3RLRPnvMA=; b=wPZ8Da3FxPi8LmRlSRtoETIk+PrnaS39ZwLX80fo5vja4
 NBUK6xQ+0Sb25MovZiig+38qmUkg/EAAODs3z9iMiJhvTa7SStEb2bB2EfMikKQ1
 bIKAEHm12nq9b5OuVu0zFDMpfG+EGSjpDyQc/bizrNnJGRFdFowVkXSCRkdb6r6I
 WORvAfDvcR+9uOfyYGIpcuwh9y6ElLcXcOBRHa1bgx3DHIHYVzE1lMe0EmDwJf87
 dZ/CfNQ+oa1KeWYa6SkP7Ey2ZWEdvIQ8t9C9jk1FMIzg3WvgZlbSBESJ5U/8Uxao
 6QN0gbchWjHyRd66R7XrVwgXaGNu3BQtWhoCX8hLg==
X-ME-Sender: <xms:m3x0XGhkNIsD-S9QqUgp3MMUBEekTnPL1MAPPSjemp6oDLpcrkNdOA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrudekgdduvdculddtuddrgedtledrtddtmd
 cutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthen
 uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtuggfsehgtderre
 dtredvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr
 ihdrnhgrmhgvqeenucfkphepjeeirdduvdegrddvtddvrddufeejnecurfgrrhgrmhepmh
 grihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgvnecuvehluhhsthgvrhfu
 ihiivgeptd
X-ME-Proxy: <xmx:m3x0XOPzFzgbhjWT-H9CfFyiX8-AYY553DiNDBEtWIVrYEthv3cjww>
 <xmx:m3x0XM-R1kccQWCgbJ5OlUtGCnNrSYJkHHjwhiil3Ff7mFcP92NcWw>
 <xmx:m3x0XNL3b4LwlIal6xo-bHV9Eq8t-QlTVryc1_ZI6-O3ktAK54GH6g>
 <xmx:n3x0XKcuFejRCJosLjhEowwE39tTVD20zz6BwlPmnRQ4R0tF1VtTOg>
Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net
 [76.124.202.137])
 by mail.messagingengine.com (Postfix) with ESMTPA id 47BF1E425A
 for <32515 <at> debbugs.gnu.org>; Mon, 25 Feb 2019 18:39:07 -0500 (EST)
Date: Mon, 25 Feb 2019 18:39:06 -0500
From: Leo Famulari <leo@HIDDEN>
To: 32515 <at> debbugs.gnu.org
Subject: Re: GNOME thumbnailing code execution vulnerabilities
Message-ID: <20190225233906.GA16808@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="Kj7319i9nmIyA2yE"
Content-Disposition: inline
User-Agent: Mutt/1.11.3 (2019-02-01)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 32515
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--Kj7319i9nmIyA2yE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Since this bug was filed, Ghostscript has received more scrutiny and
serious bugs continue to be found.

The recommendation of the researchers seems to be to disable and remove
Ghostscript unless a Postcript interpreter is actually necessary.

Barring that, we should keep our package up to date and try to make sure
the GNOME thumbnailer and other "hidden" users of Ghostscript are run in
containers.

Is anyone willing to look into the GNOME thumbnailer?

--Kj7319i9nmIyA2yE
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlx0fJoACgkQJkb6MLrK
fwhtJhAA6BTLJaWa9YBrWBEUJ+3EMZrOYPro0BTDSpoTHPJ8rHE8Ux+8rBoJMXPb
T6zGNquqqAenrv77RTddmKUUPtPig9jCEOr7jjx6tgV0fU7GjpOp+WSv7VsTz5gZ
EnFVKo7fnf6tymZ87Anca7bCFT0PewLrcsVKPAcX7WMCO5jll1kLQ8k1zRQLk1Hh
4+iAzP35XxhBih8D/tfbRf0CboW+47IR7awVLS5W5InXVpeAVR0p/wltrKhp9Egx
Cnp8GcxR5LUBzzcLcPrdrAsOtDM/x5ak4R81wzty9b1u66/4cUyQCF+RAaHcjj8p
GIBaO4rUgXMk3PB4JZNIRO4JloD5djp6CZhjVfjACZbP6OgFPF3Dp1mF1neuMHrW
bcyCNU5PQMnDzqK0sPhFwAxRds8MXFH9PofWE90lwrwgXXrv+a8oMydJ+62UWulD
4dyKUV1MgZMJ2H7n4hyEBiC0RHIwtROjTZmHCFH4ZkQ/24h8OKZofvjSr6Ec4ffe
yhzKwjHSk4IKj9jTYNVs9MRKRMdBR87gvAxvVRm3lAwXhTrJg/oZNQqNXT4iNA50
SupiuyaOJRciNQgaSSJhBlxn9lehzTeQIZsksnY/u/LBG5IZn0KZtq2D6BMROYNA
/NaXXIBUBieA+EMaE0Kbb5BY1z+vMzY5kGej1Rfksuoh1LzFiUY=
=XooQ
-----END PGP SIGNATURE-----

--Kj7319i9nmIyA2yE--




Information forwarded to bug-guix@HIDDEN:
bug#32515; Package guix. Full text available.
Changed bug title to '"Ghostscript and GNOME thumbnailing code execution vulnerabilities"' from 'GNOME thumbnailing code execution vulnerabilities' Request was from Leo Famulari <leo@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Added tag(s) security. Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 23 Aug 2018 21:02:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Aug 23 17:02:13 2018
Received: from localhost ([127.0.0.1]:59149 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fswk9-0007Ay-AM
	for submit <at> debbugs.gnu.org; Thu, 23 Aug 2018 17:02:13 -0400
Received: from eggs.gnu.org ([208.118.235.92]:46037)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1fswk7-0007Ak-5M
 for submit <at> debbugs.gnu.org; Thu, 23 Aug 2018 17:02:11 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1fswk1-0007eL-1t
 for submit <at> debbugs.gnu.org; Thu, 23 Aug 2018 17:02:05 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:37684)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@HIDDEN>) id 1fswk0-0007eG-Tl
 for submit <at> debbugs.gnu.org; Thu, 23 Aug 2018 17:02:04 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:38772)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1fswjz-0004IN-Tt
 for bug-guix@HIDDEN; Thu, 23 Aug 2018 17:02:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1fswju-0007dA-Qx
 for bug-guix@HIDDEN; Thu, 23 Aug 2018 17:02:03 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:43995)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@HIDDEN>) id 1fswjt-0007cc-OX
 for bug-guix@HIDDEN; Thu, 23 Aug 2018 17:01:58 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id C69D221DF0;
 Thu, 23 Aug 2018 17:01:54 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute4.internal (MEProxy); Thu, 23 Aug 2018 17:01:54 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=r2P2qEa4SPTXOJ
 fOHXe/vmsnj04tpl4xgVk7f0qL9fI=; b=XgYR5pcUCMdtoI/wkMJWNBF5QZ4wW/
 u9p1v/Nntaj46i4NVde7GHOQdt2e51MlnCC43NmN1z972JoEtVRG86b2DMqrNqqE
 MwgLKzPfCo1QedUH28BKRAqOvGOJrwmFhEM0plGDIGByxr+gtB3ImYzqX9Cx7rIa
 pEkDlv12uZo2w=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm3; bh=r2P2qEa4SPTXOJfOHXe/vmsnj04tpl4xgVk7f0qL9fI=; b=dNKeZNix
 euwZtovUBymqJQRlnlnH7PDEZbyLByoDmVtjEF14ltziez17NAdrE+91Q8xoMRPu
 qNUxBaMzbtSR3cWOv+9+sGgGyJl1HWLq2kaG1mEVTWRIm0rdT/VcU2GpG7lC2jGl
 +8pffG2aSYtnV8419PxJLSUKTOlzDwDYQZjtVpLcBjBKd4O8C2tYcpHAEMdFENF6
 glw0lNp9P5ctDgLR06DKvd7avJo1xDw7zOy+HwJ4KK7GweQ/lR0DJKv2JJ/lB52+
 xcR/fzfHbMRev7vI10JvUYr0CXI4Fd6859D17Nx8VIIkQ7iw3ja+I3imXsFwPzGZ
 Kf2OrqsEZAemCg==
X-ME-Proxy: <xmx:wCB_Wwqb7SDr-yH4hc_ANDzhvWwd7gwBRjUqULPr4dPbu0PVzVoUMw>
 <xmx:wCB_W1Vl72mkjGnPu0UdJxoCiEUxjNG1tS2wkfQxngJRMC2nYzmk-Q>
 <xmx:wCB_W3ekQejB-nOonDXBWFPJ_yCoBvbxzRwiQ1uBH0VRBHmvGKAgEQ>
 <xmx:wCB_WxC_B2cJRBAYDhBXB5ptWcj_G6dCkNlX8ZdDG3s4RIr64UmIRg>
 <xmx:wCB_W1FTczadKzjiFKsSer6l-KOlT1cT3IwN67BQtK722XQDCkkLKg>
 <xmx:wiB_W5PGKFI2lDZIMsK5jOgULItf13edJ6cuhywWDz7bMqUjEy_L6A>
X-ME-Sender: <xms:wCB_WwXl4I8NLx8H9yaaJ2eDV_fYqDFaOv71Tj-LwYJh_TCp6LJORQ>
Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net
 [76.124.202.137])
 by mail.messagingengine.com (Postfix) with ESMTPA id 1EF551028A
 for <bug-guix@HIDDEN>; Thu, 23 Aug 2018 17:01:52 -0400 (EDT)
Date: Thu, 23 Aug 2018 17:01:51 -0400
From: Leo Famulari <leo@HIDDEN>
To: bug-guix@HIDDEN
Subject: GNOME thumbnailing code execution vulnerabilities
Message-ID: <20180823210151.GA18406@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft"
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.1 (-----)


--/04w6evG8XlLl3ft
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

In some configurations of the GNOME and KDE desktops (and maybe others),
there is a remote code execution vulnerability via the Nautilus
thumbnailing system, via Evince and Ghostscript:

"My colleague Jann Horn pointed out evince (which uses libgs, which is
affected with some tweaks to the PoC) is used to generate previews in
Nautilus, which means previews can trigger code execution (see
/usr/share/thumbnailers/evince.thumbnailer). I think it's possible to
trigger that via file automatic download in a browser just by visiting a
URL, but I haven't tested it." [0]

Our Evince package is configured with '--disable-nautilus' [1]. Does
this avoid the problem for us?

I'm not using a graphical GuixSD system so I can't test this easily. Can
someone who is using GNOME on GuixSD poke around and let us know what
they find?

Desktop thumbnailing is a convenient feature, so it would be good if it
worked safely. Apparently GNOME is able to run the thumbnailer in a
container [2]; we should try to make sure that works.

[0]
http://seclists.org/oss-sec/2018/q3/143

[1]
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gnome.scm?id=16b0e8da48ef9398797a22e274d5fcb37e24e448#n743

[2]
https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164

--/04w6evG8XlLl3ft
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlt/IL8ACgkQJkb6MLrK
fwiTzw/9HVEKINE7zPl1QmZomYvT6Z/g6royQDgkcmRWAJS4riUwDH41BclSkE+u
v+pOWkx+icXK8HLt+dkmBWVecieswRx/idnNGUZpvjprFoj30yxPhnpc9nbTeM1R
xIr2d9vEyLJHd+FbDanmDFqxKdp7/U5Imn+XYhI73Y2Zoq8R40jr+7lVht4Qfgjd
J7Fl9OG7Puy78vfQVc9XhxYNmOhzNt7bZncECVhLfwLTUVmZf86oD5KaMg11wpOP
nLBMO863gVKJXPU/F7H1hfUq03AezaPZSAXCQr7d9lvteMbQwp1+PMoKhHIWF1ro
fjXyth9+UNXbv1IDM+Oiv9VfVpjApitfypFAcLL5QfGuqsknZtHNtDoIDavuBekP
eAhODq1eK4oiNyxL0to8lHMaUy+ZVNJ98c6ig89rRsthpMaQVbS27t5vsqm3bZuP
PmnfrKEgfQP8z3kPVNjySExY1prIbH+r1O4FFXwMjpxfc+SJ564+sE0qPnDrYnNy
LLX3cB6ExQ4VTUd9ChPe+0oCcyUCA1ng1SULMki4JjeMeZdmbK55En4lmiB3PoP7
aQXdjhgRSmVDAOCs+DrG45HJUHWiRENvK++CWpaSG6WW1VllvSoqD/GaPTc8PATT
Rz84QjcG/Hag4AfEIDkMQMoN8IHbNYa/FGwRrT3SGH7hsH+TP7E=
=FEkj
-----END PGP SIGNATURE-----

--/04w6evG8XlLl3ft--




Acknowledgement sent to Leo Famulari <leo@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#32515; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 25 Nov 2019 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.