On Fri, Apr 09, 2021 at 03:51:21PM +0200, Maxime Devos wrote: > Leo Famulari (26 Feb 2019) wrote: > > Since this bug was filed, Ghostscript has received more scrutiny and > > serious bugs continue to be found. > > I assume you meant ‘fixed’. I did not mean 'fixed'. As far as I know, no work was done in Guix about this bug. 'filed' is definitely the correct interpretation; security researchers ignored postscript / Ghostcript for a very long time, but it became a popular area of research a few years ago. Basically, Ghostscript is a decades-old C codebase implementing an even older language specification. Caveat emptor. Unlike some other similar codebases, like OpenSSL, the situation regarding security researchers and vulnerability disclosure has not really improved, as far as I can tell :/ > The thumbnailer is run in a container, using bubblewrap and seccomp: > > $ guix graph --type=references gnome-desktop > > [snip] > > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color = darkseagreen]; > > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color = darkseagreen]; > > [snip] > > $ EDITOR=less guix edit gnome-desktop > > [snip] > > ("bubblewrap" ,bubblewrap) > > [snip] > > $ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c: > > [snip] > > [an add_bwrap function with bind mounts and --unshare-all] > > [a setup_seccomp function] > > [snip] > > Closing. Great, looks like upstream took care of it for us. There will probably be more bugs in this area, but that's expected.