GNU bug report logs - #32515
Ghostscript and GNOME thumbnailing code execution vulnerabilities

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Thu, 23 Aug 2018 21:03:02 UTC

Severity: normal

Tags: security

Done: Maxime Devos <maximedevos <at> telenet.be>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 32515 in the body.
You can then email your comments to 32515 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#32515; Package guix. (Thu, 23 Aug 2018 21:03:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Thu, 23 Aug 2018 21:03:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: GNOME thumbnailing code execution vulnerabilities
Date: Thu, 23 Aug 2018 17:01:51 -0400

[Message part 1 (text/plain, inline)]
In some configurations of the GNOME and KDE desktops (and maybe others),
there is a remote code execution vulnerability via the Nautilus
thumbnailing system, via Evince and Ghostscript:

"My colleague Jann Horn pointed out evince (which uses libgs, which is
affected with some tweaks to the PoC) is used to generate previews in
Nautilus, which means previews can trigger code execution (see
/usr/share/thumbnailers/evince.thumbnailer). I think it's possible to
trigger that via file automatic download in a browser just by visiting a
URL, but I haven't tested it." [0]

Our Evince package is configured with '--disable-nautilus' [1]. Does
this avoid the problem for us?

I'm not using a graphical GuixSD system so I can't test this easily. Can
someone who is using GNOME on GuixSD poke around and let us know what
they find?

Desktop thumbnailing is a convenient feature, so it would be good if it
worked safely. Apparently GNOME is able to run the thumbnailer in a
container [2]; we should try to make sure that works.

[0]
http://seclists.org/oss-sec/2018/q3/143

[1]
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gnome.scm?id=16b0e8da48ef9398797a22e274d5fcb37e24e448#n743

[2]
https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164

[signature.asc (application/pgp-signature, inline)]
Added tag(s) security. Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Wed, 29 Aug 2018 20:34:02 GMT) Full text and rfc822 format available.
Changed bug title to '"Ghostscript and GNOME thumbnailing code execution vulnerabilities"' from 'GNOME thumbnailing code execution vulnerabilities' Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Mon, 25 Feb 2019 23:38:01 GMT) Full text and rfc822 format available.
Information forwarded to bug-guix <at> gnu.org:
bug#32515; Package guix. (Mon, 25 Feb 2019 23:40:02 GMT) Full text and rfc822 format available.

Message #12 received at 32515 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 32515 <at> debbugs.gnu.org
Subject: Re: GNOME thumbnailing code execution vulnerabilities
Date: Mon, 25 Feb 2019 18:39:06 -0500

[Message part 1 (text/plain, inline)]
Since this bug was filed, Ghostscript has received more scrutiny and
serious bugs continue to be found.

The recommendation of the researchers seems to be to disable and remove
Ghostscript unless a Postcript interpreter is actually necessary.

Barring that, we should keep our package up to date and try to make sure
the GNOME thumbnailer and other "hidden" users of Ghostscript are run in
containers.

Is anyone willing to look into the GNOME thumbnailer?

[signature.asc (application/pgp-signature, inline)]
Changed bug title to 'Ghostscript and GNOME thumbnailing code execution vulnerabilities' from '"Ghostscript and GNOME thumbnailing code execution vulnerabilities"' Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Mon, 25 Feb 2019 23:40:02 GMT) Full text and rfc822 format available.
Reply sent to Maxime Devos <maximedevos <at> telenet.be>:
You have taken responsibility. (Fri, 09 Apr 2021 13:52:01 GMT) Full text and rfc822 format available.
Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Fri, 09 Apr 2021 13:52:01 GMT) Full text and rfc822 format available.

Message #19 received at 32515-done <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: 32515-done <at> debbugs.gnu.org
Subject: Re: GNOME thumbnailing code execution vulnerabilities.
Date: Fri, 09 Apr 2021 15:51:21 +0200

[Message part 1 (text/plain, inline)]
Leo Famulari (26 Feb 2019) wrote:
> Since this bug was filed, Ghostscript has received more scrutiny and
> serious bugs continue to be found.

I assume you meant ‘fixed’.

> [...]
> Barring that, we should keep our package up to date

ghostscript can be updated to 9.54 (https://ghostscript.com/download/gsdnld.html).
This will require grafts due to many depending packages.
However, looking at
https://bugs.ghostscript.com/buglist.cgi?order=Bug%20Number&product=Ghostscript&query_format=advanced&resolution=---&version=9.52&version=9.53.0&version=9.53.1&version=9.53.2&version=9.53.3&version=9.54.0
it seems there are no known security vulnerabilities.

evince can be updated from 3.36.5 to 40.0 according to "guix refresh",
that would be done in https://issues.guix.gnu.org/47643  think.

> and try to make sure
> the GNOME thumbnailer and other "hidden" users of Ghostscript are run in
> containers.

The thumbnailer is run in a container, using bubblewrap and seccomp:

$ guix graph --type=references gnome-desktop
> [snip]
> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color = darkseagreen];
> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color = darkseagreen];
> [snip]

$ EDITOR=less guix edit gnome-desktop
> [snip]
> ("bubblewrap" ,bubblewrap)
> [snip]

$ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c:
> [snip]
> [an add_bwrap function with bind mounts and --unshare-all]
> [a setup_seccomp function]
> [snip]

Closing.

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#32515; Package guix. (Fri, 09 Apr 2021 18:49:01 GMT) Full text and rfc822 format available.

Message #22 received at 32515 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 32515 <at> debbugs.gnu.org, maximedevos <at> telenet.be
Subject: Re: bug#32515: GNOME thumbnailing code execution vulnerabilities.
Date: Fri, 9 Apr 2021 14:48:15 -0400

[Message part 1 (text/plain, inline)]
On Fri, Apr 09, 2021 at 03:51:21PM +0200, Maxime Devos wrote:
> Leo Famulari (26 Feb 2019) wrote:
> > Since this bug was filed, Ghostscript has received more scrutiny and
> > serious bugs continue to be found.
> 
> I assume you meant ‘fixed’.

I did not mean 'fixed'. As far as I know, no work was done in Guix about
this bug.

'filed' is definitely the correct interpretation; security researchers
ignored postscript / Ghostcript for a very long time, but it became a
popular area of research a few years ago.

Basically, Ghostscript is a decades-old C codebase implementing an even
older language specification. Caveat emptor.

Unlike some other similar codebases, like OpenSSL, the situation
regarding security researchers and vulnerability disclosure has not
really improved, as far as I can tell :/


> The thumbnailer is run in a container, using bubblewrap and seccomp:
> 
> $ guix graph --type=references gnome-desktop
> > [snip]
> > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color = darkseagreen];
> > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color = darkseagreen];
> > [snip]
> 
> $ EDITOR=less guix edit gnome-desktop
> > [snip]
> > ("bubblewrap" ,bubblewrap)
> > [snip]
> 
> $ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c:
> > [snip]
> > [an add_bwrap function with bind mounts and --unshare-all]
> > [a setup_seccomp function]
> > [snip]
> 
> Closing.

Great, looks like upstream took care of it for us. There will probably
be more bugs in this area, but that's expected.

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 08 May 2021 11:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 2 years and 347 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.