[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#32515: GNOME thumbnailing code execution vulnerabilities.
From: |
Maxime Devos |
Subject: |
bug#32515: GNOME thumbnailing code execution vulnerabilities. |
Date: |
Fri, 09 Apr 2021 15:51:21 +0200 |
User-agent: |
Evolution 3.34.2 |
Leo Famulari (26 Feb 2019) wrote:
> Since this bug was filed, Ghostscript has received more scrutiny and
> serious bugs continue to be found.
I assume you meant ‘fixed’.
> [...]
> Barring that, we should keep our package up to date
ghostscript can be updated to 9.54
(https://ghostscript.com/download/gsdnld.html).
This will require grafts due to many depending packages.
However, looking at
https://bugs.ghostscript.com/buglist.cgi?order=Bug%20Number&product=Ghostscript&query_format=advanced&resolution=---&version=9.52&version=9.53.0&version=9.53.1&version=9.53.2&version=9.53.3&version=9.54.0
it seems there are no known security vulnerabilities.
evince can be updated from 3.36.5 to 40.0 according to "guix refresh",
that would be done in https://issues.guix.gnu.org/47643 think.
> and try to make sure
> the GNOME thumbnailer and other "hidden" users of Ghostscript are run in
> containers.
The thumbnailer is run in a container, using bubblewrap and seccomp:
$ guix graph --type=references gnome-desktop
> [snip]
> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" ->
> "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color =
> darkseagreen];
> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" ->
> "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color =
> darkseagreen];
> [snip]
$ EDITOR=less guix edit gnome-desktop
> [snip]
> ("bubblewrap" ,bubblewrap)
> [snip]
$ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c:
> [snip]
> [an add_bwrap function with bind mounts and --unshare-all]
> [a setup_seccomp function]
> [snip]
Closing.
Greetings,
Maxime.
signature.asc
Description: This is a digitally signed message part
- bug#32515: GNOME thumbnailing code execution vulnerabilities.,
Maxime Devos <=