GNU bug report logs - #32515
GNOME thumbnailing code execution vulnerabilities

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Leo Famulari <leo@HIDDEN>; Keywords: security; dated Thu, 23 Aug 2018 21:03:02 UTC; Maintainer for guix is bug-guix@HIDDEN.
Added tag(s) security. Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 23 Aug 2018 21:02:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Aug 23 17:02:13 2018
Received: from localhost ([127.0.0.1]:59149 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fswk9-0007Ay-AM
	for submit <at> debbugs.gnu.org; Thu, 23 Aug 2018 17:02:13 -0400
Received: from eggs.gnu.org ([208.118.235.92]:46037)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1fswk7-0007Ak-5M
 for submit <at> debbugs.gnu.org; Thu, 23 Aug 2018 17:02:11 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1fswk1-0007eL-1t
 for submit <at> debbugs.gnu.org; Thu, 23 Aug 2018 17:02:05 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:37684)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@HIDDEN>) id 1fswk0-0007eG-Tl
 for submit <at> debbugs.gnu.org; Thu, 23 Aug 2018 17:02:04 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:38772)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1fswjz-0004IN-Tt
 for bug-guix@HIDDEN; Thu, 23 Aug 2018 17:02:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1fswju-0007dA-Qx
 for bug-guix@HIDDEN; Thu, 23 Aug 2018 17:02:03 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:43995)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@HIDDEN>) id 1fswjt-0007cc-OX
 for bug-guix@HIDDEN; Thu, 23 Aug 2018 17:01:58 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id C69D221DF0;
 Thu, 23 Aug 2018 17:01:54 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute4.internal (MEProxy); Thu, 23 Aug 2018 17:01:54 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=r2P2qEa4SPTXOJ
 fOHXe/vmsnj04tpl4xgVk7f0qL9fI=; b=XgYR5pcUCMdtoI/wkMJWNBF5QZ4wW/
 u9p1v/Nntaj46i4NVde7GHOQdt2e51MlnCC43NmN1z972JoEtVRG86b2DMqrNqqE
 MwgLKzPfCo1QedUH28BKRAqOvGOJrwmFhEM0plGDIGByxr+gtB3ImYzqX9Cx7rIa
 pEkDlv12uZo2w=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm3; bh=r2P2qEa4SPTXOJfOHXe/vmsnj04tpl4xgVk7f0qL9fI=; b=dNKeZNix
 euwZtovUBymqJQRlnlnH7PDEZbyLByoDmVtjEF14ltziez17NAdrE+91Q8xoMRPu
 qNUxBaMzbtSR3cWOv+9+sGgGyJl1HWLq2kaG1mEVTWRIm0rdT/VcU2GpG7lC2jGl
 +8pffG2aSYtnV8419PxJLSUKTOlzDwDYQZjtVpLcBjBKd4O8C2tYcpHAEMdFENF6
 glw0lNp9P5ctDgLR06DKvd7avJo1xDw7zOy+HwJ4KK7GweQ/lR0DJKv2JJ/lB52+
 xcR/fzfHbMRev7vI10JvUYr0CXI4Fd6859D17Nx8VIIkQ7iw3ja+I3imXsFwPzGZ
 Kf2OrqsEZAemCg==
X-ME-Proxy: <xmx:wCB_Wwqb7SDr-yH4hc_ANDzhvWwd7gwBRjUqULPr4dPbu0PVzVoUMw>
 <xmx:wCB_W1Vl72mkjGnPu0UdJxoCiEUxjNG1tS2wkfQxngJRMC2nYzmk-Q>
 <xmx:wCB_W3ekQejB-nOonDXBWFPJ_yCoBvbxzRwiQ1uBH0VRBHmvGKAgEQ>
 <xmx:wCB_WxC_B2cJRBAYDhBXB5ptWcj_G6dCkNlX8ZdDG3s4RIr64UmIRg>
 <xmx:wCB_W1FTczadKzjiFKsSer6l-KOlT1cT3IwN67BQtK722XQDCkkLKg>
 <xmx:wiB_W5PGKFI2lDZIMsK5jOgULItf13edJ6cuhywWDz7bMqUjEy_L6A>
X-ME-Sender: <xms:wCB_WwXl4I8NLx8H9yaaJ2eDV_fYqDFaOv71Tj-LwYJh_TCp6LJORQ>
Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net
 [76.124.202.137])
 by mail.messagingengine.com (Postfix) with ESMTPA id 1EF551028A
 for <bug-guix@HIDDEN>; Thu, 23 Aug 2018 17:01:52 -0400 (EDT)
Date: Thu, 23 Aug 2018 17:01:51 -0400
From: Leo Famulari <leo@HIDDEN>
To: bug-guix@HIDDEN
Subject: GNOME thumbnailing code execution vulnerabilities
Message-ID: <20180823210151.GA18406@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft"
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.1 (-----)


--/04w6evG8XlLl3ft
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

In some configurations of the GNOME and KDE desktops (and maybe others),
there is a remote code execution vulnerability via the Nautilus
thumbnailing system, via Evince and Ghostscript:

"My colleague Jann Horn pointed out evince (which uses libgs, which is
affected with some tweaks to the PoC) is used to generate previews in
Nautilus, which means previews can trigger code execution (see
/usr/share/thumbnailers/evince.thumbnailer). I think it's possible to
trigger that via file automatic download in a browser just by visiting a
URL, but I haven't tested it." [0]

Our Evince package is configured with '--disable-nautilus' [1]. Does
this avoid the problem for us?

I'm not using a graphical GuixSD system so I can't test this easily. Can
someone who is using GNOME on GuixSD poke around and let us know what
they find?

Desktop thumbnailing is a convenient feature, so it would be good if it
worked safely. Apparently GNOME is able to run the thumbnailer in a
container [2]; we should try to make sure that works.

[0]
http://seclists.org/oss-sec/2018/q3/143

[1]
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gnome.scm?id=16b0e8da48ef9398797a22e274d5fcb37e24e448#n743

[2]
https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164

--/04w6evG8XlLl3ft
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlt/IL8ACgkQJkb6MLrK
fwiTzw/9HVEKINE7zPl1QmZomYvT6Z/g6royQDgkcmRWAJS4riUwDH41BclSkE+u
v+pOWkx+icXK8HLt+dkmBWVecieswRx/idnNGUZpvjprFoj30yxPhnpc9nbTeM1R
xIr2d9vEyLJHd+FbDanmDFqxKdp7/U5Imn+XYhI73Y2Zoq8R40jr+7lVht4Qfgjd
J7Fl9OG7Puy78vfQVc9XhxYNmOhzNt7bZncECVhLfwLTUVmZf86oD5KaMg11wpOP
nLBMO863gVKJXPU/F7H1hfUq03AezaPZSAXCQr7d9lvteMbQwp1+PMoKhHIWF1ro
fjXyth9+UNXbv1IDM+Oiv9VfVpjApitfypFAcLL5QfGuqsknZtHNtDoIDavuBekP
eAhODq1eK4oiNyxL0to8lHMaUy+ZVNJ98c6ig89rRsthpMaQVbS27t5vsqm3bZuP
PmnfrKEgfQP8z3kPVNjySExY1prIbH+r1O4FFXwMjpxfc+SJ564+sE0qPnDrYnNy
LLX3cB6ExQ4VTUd9ChPe+0oCcyUCA1ng1SULMki4JjeMeZdmbK55En4lmiB3PoP7
aQXdjhgRSmVDAOCs+DrG45HJUHWiRENvK++CWpaSG6WW1VllvSoqD/GaPTc8PATT
Rz84QjcG/Hag4AfEIDkMQMoN8IHbNYa/FGwRrT3SGH7hsH+TP7E=
=FEkj
-----END PGP SIGNATURE-----

--/04w6evG8XlLl3ft--




Acknowledgement sent to Leo Famulari <leo@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#32515; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Wed, 29 Aug 2018 20:45:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.