In some configurations of the GNOME and KDE desktops (and maybe others),there is a remote code execution vulnerability via the Nautilusthumbnailing system, via Evince and Ghostscript: "My colleague Jann Horn pointed out evince (which uses libgs, which isaffected with some tweaks to the PoC) is used to generate previews inNautilus, which means previews can trigger code execution (see/usr/share/thumbnailers/evince.thumbnailer). I think it's possible totrigger that via file automatic download in a browser just by visiting aURL, but I haven't tested it."  Our Evince package is configured with '--disable-nautilus' . Doesthis avoid the problem for us? I'm not using a graphical GuixSD system so I can't test this easily. Cansomeone who is using GNOME on GuixSD poke around and let us know whatthey find? Desktop thumbnailing is a convenient feature, so it would be good if itworked safely. Apparently GNOME is able to run the thumbnailer in acontainer ; we should try to make sure that works. http://seclists.org/oss-sec/2018/q3/143 https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gnome.scm?id=16b0e8da48ef9398797a22e274d5fcb37e24e448#n743 https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164
Since this bug was filed, Ghostscript has received more scrutiny andserious bugs continue to be found. The recommendation of the researchers seems to be to disable and removeGhostscript unless a Postcript interpreter is actually necessary. Barring that, we should keep our package up to date and try to make surethe GNOME thumbnailer and other "hidden" users of Ghostscript are run incontainers. Is anyone willing to look into the GNOME thumbnailer?
On Fri, Apr 09, 2021 at 03:51:21PM +0200, Maxime Devos wrote:
Toggle quote (6 lines)> Leo Famulari (26 Feb 2019) wrote:> > Since this bug was filed, Ghostscript has received more scrutiny and> > serious bugs continue to be found.> > I assume you meant ‘fixed’.
I did not mean 'fixed'. As far as I know, no work was done in Guix aboutthis bug. 'filed' is definitely the correct interpretation; security researchersignored postscript / Ghostcript for a very long time, but it became apopular area of research a few years ago. Basically, Ghostscript is a decades-old C codebase implementing an evenolder language specification. Caveat emptor. Unlike some other similar codebases, like OpenSSL, the situationregarding security researchers and vulnerability disclosure has notreally improved, as far as I can tell :/
Toggle quote (21 lines)> The thumbnailer is run in a container, using bubblewrap and seccomp:> > $ guix graph --type=references gnome-desktop> > [snip]> > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color = darkseagreen];> > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color = darkseagreen];> > [snip]> > $ EDITOR=less guix edit gnome-desktop> > [snip]> > ("bubblewrap" ,bubblewrap)> > [snip]> > $ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c:> > [snip]> > [an add_bwrap function with bind mounts and --unshare-all]> > [a setup_seccomp function]> > [snip]> > Closing.
Great, looks like upstream took care of it for us. There will probablybe more bugs in this area, but that's expected.