Ghostscript and GNOME thumbnailing code execution vulnerabilities

DoneSubmitted by Leo Famulari.
Details
3 participants
  • Leo Famulari
  • Ludovic Courtès
  • Maxime Devos
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 23 Aug 2018 23:01
GNOME thumbnailing code execution vulnerabilities
(address . bug-guix@gnu.org)
20180823210151.GA18406@jasmine.lan
In some configurations of the GNOME and KDE desktops (and maybe others),there is a remote code execution vulnerability via the Nautilusthumbnailing system, via Evince and Ghostscript:
"My colleague Jann Horn pointed out evince (which uses libgs, which isaffected with some tweaks to the PoC) is used to generate previews inNautilus, which means previews can trigger code execution (see/usr/share/thumbnailers/evince.thumbnailer). I think it's possible totrigger that via file automatic download in a browser just by visiting aURL, but I haven't tested it." [0]
Our Evince package is configured with '--disable-nautilus' [1]. Doesthis avoid the problem for us?
I'm not using a graphical GuixSD system so I can't test this easily. Cansomeone who is using GNOME on GuixSD poke around and let us know whatthey find?
Desktop thumbnailing is a convenient feature, so it would be good if itworked safely. Apparently GNOME is able to run the thumbnailer in acontainer [2]; we should try to make sure that works.
[0]http://seclists.org/oss-sec/2018/q3/143
[1]https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gnome.scm?id=16b0e8da48ef9398797a22e274d5fcb37e24e448#n743
[2]https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlt/IL8ACgkQJkb6MLrKfwiTzw/9HVEKINE7zPl1QmZomYvT6Z/g6royQDgkcmRWAJS4riUwDH41BclSkE+uv+pOWkx+icXK8HLt+dkmBWVecieswRx/idnNGUZpvjprFoj30yxPhnpc9nbTeM1RxIr2d9vEyLJHd+FbDanmDFqxKdp7/U5Imn+XYhI73Y2Zoq8R40jr+7lVht4QfgjdJ7Fl9OG7Puy78vfQVc9XhxYNmOhzNt7bZncECVhLfwLTUVmZf86oD5KaMg11wpOPnLBMO863gVKJXPU/F7H1hfUq03AezaPZSAXCQr7d9lvteMbQwp1+PMoKhHIWF1rofjXyth9+UNXbv1IDM+Oiv9VfVpjApitfypFAcLL5QfGuqsknZtHNtDoIDavuBekPeAhODq1eK4oiNyxL0to8lHMaUy+ZVNJ98c6ig89rRsthpMaQVbS27t5vsqm3bZuPPmnfrKEgfQP8z3kPVNjySExY1prIbH+r1O4FFXwMjpxfc+SJ564+sE0qPnDrYnNyLLX3cB6ExQ4VTUd9ChPe+0oCcyUCA1ng1SULMki4JjeMeZdmbK55En4lmiB3PoP7aQXdjhgRSmVDAOCs+DrG45HJUHWiRENvK++CWpaSG6WW1VllvSoqD/GaPTc8PATTRz84QjcG/Hag4AfEIDkMQMoN8IHbNYa/FGwRrT3SGH7hsH+TP7E==FEkj-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 29 Aug 2018 22:33
control message for bug #32515
(address . control@debbugs.gnu.org)
871sagap5m.fsf@gnu.org
tags 32515 security
L
L
Leo Famulari wrote on 26 Feb 2019 00:37
(no subject)
(address . control@debbugs.gnu.org)
20190225233730.GA16892@jasmine.lan
retitle 32515 "Ghostscript and GNOME thumbnailing code execution vulnerabilities"
L
L
Leo Famulari wrote on 26 Feb 2019 00:39
Re: GNOME thumbnailing code execution vulnerabilities
(address . 32515@debbugs.gnu.org)
20190225233906.GA16808@jasmine.lan
Since this bug was filed, Ghostscript has received more scrutiny andserious bugs continue to be found.
The recommendation of the researchers seems to be to disable and removeGhostscript unless a Postcript interpreter is actually necessary.
Barring that, we should keep our package up to date and try to make surethe GNOME thumbnailer and other "hidden" users of Ghostscript are run incontainers.
Is anyone willing to look into the GNOME thumbnailer?
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlx0fJoACgkQJkb6MLrKfwhtJhAA6BTLJaWa9YBrWBEUJ+3EMZrOYPro0BTDSpoTHPJ8rHE8Ux+8rBoJMXPbT6zGNquqqAenrv77RTddmKUUPtPig9jCEOr7jjx6tgV0fU7GjpOp+WSv7VsTz5gZEnFVKo7fnf6tymZ87Anca7bCFT0PewLrcsVKPAcX7WMCO5jll1kLQ8k1zRQLk1Hh4+iAzP35XxhBih8D/tfbRf0CboW+47IR7awVLS5W5InXVpeAVR0p/wltrKhp9EgxCnp8GcxR5LUBzzcLcPrdrAsOtDM/x5ak4R81wzty9b1u66/4cUyQCF+RAaHcjj8pGIBaO4rUgXMk3PB4JZNIRO4JloD5djp6CZhjVfjACZbP6OgFPF3Dp1mF1neuMHrWbcyCNU5PQMnDzqK0sPhFwAxRds8MXFH9PofWE90lwrwgXXrv+a8oMydJ+62UWulD4dyKUV1MgZMJ2H7n4hyEBiC0RHIwtROjTZmHCFH4ZkQ/24h8OKZofvjSr6Ec4ffeyhzKwjHSk4IKj9jTYNVs9MRKRMdBR87gvAxvVRm3lAwXhTrJg/oZNQqNXT4iNA50SupiuyaOJRciNQgaSSJhBlxn9lehzTeQIZsksnY/u/LBG5IZn0KZtq2D6BMROYNA/NaXXIBUBieA+EMaE0Kbb5BY1z+vMzY5kGej1Rfksuoh1LzFiUY==XooQ-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 26 Feb 2019 00:39
(no subject)
(address . control@debbugs.gnu.org)
20190225233938.GA17000@jasmine.lan
retitle 32515 Ghostscript and GNOME thumbnailing code execution vulnerabilities
M
M
Maxime Devos wrote on 9 Apr 15:51 +0200
Re: GNOME thumbnailing code execution vulnerabilities.
(address . 32515-done@debbugs.gnu.org)
eab5115f9c793066da9f2146b265216a02580707.camel@telenet.be
Leo Famulari (26 Feb 2019) wrote:
Toggle quote (3 lines)> Since this bug was filed, Ghostscript has received more scrutiny and> serious bugs continue to be found.
I assume you meant ‘fixed’.
Toggle quote (3 lines)> [...]> Barring that, we should keep our package up to date
ghostscript can be updated to 9.54 (https://ghostscript.com/download/gsdnld.html).This will require grafts due to many depending packages.However, looking athttps://bugs.ghostscript.com/buglist.cgi?order=Bug%20Number&product=Ghostscript&query_format=advanced&resolution=---&version=9.52&version=9.53.0&version=9.53.1&version=9.53.2&version=9.53.3&version=9.54.0it seems there are no known security vulnerabilities.
evince can be updated from 3.36.5 to 40.0 according to "guix refresh",that would be done in https://issues.guix.gnu.org/47643 think.
Toggle quote (4 lines)> and try to make sure> the GNOME thumbnailer and other "hidden" users of Ghostscript are run in> containers.
The thumbnailer is run in a container, using bubblewrap and seccomp:
$ guix graph --type=references gnome-desktop
Toggle quote (5 lines)> [snip]> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color = darkseagreen];> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color = darkseagreen];> [snip]
$ EDITOR=less guix edit gnome-desktop
Toggle quote (4 lines)> [snip]> ("bubblewrap" ,bubblewrap)> [snip]
$ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c:
Toggle quote (5 lines)> [snip]> [an add_bwrap function with bind mounts and --unshare-all]> [a setup_seccomp function]> [snip]
Closing.
Greetings,Maxime.
-----BEGIN PGP SIGNATURE-----
iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYHBb2RccbWF4aW1lZGV2b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7p0FAQDt1/k2GEcZVc80i3MaOqVCq7xqSd3Le1hiG8vFBvmEawD7BbBFGSmp32JIX3RJrPBG/6bjpAfkK7wfNFjZs+JOcg4==2IaK-----END PGP SIGNATURE-----

Closed
L
L
Leo Famulari wrote on 9 Apr 20:48 +0200
Re: bug#32515: GNOME thumbnailing code execution vulnerabilities.
YHChb8uiuwtTQq/s@jasmine.lan
On Fri, Apr 09, 2021 at 03:51:21PM +0200, Maxime Devos wrote:
Toggle quote (6 lines)> Leo Famulari (26 Feb 2019) wrote:> > Since this bug was filed, Ghostscript has received more scrutiny and> > serious bugs continue to be found.> > I assume you meant ‘fixed’.
I did not mean 'fixed'. As far as I know, no work was done in Guix aboutthis bug.
'filed' is definitely the correct interpretation; security researchersignored postscript / Ghostcript for a very long time, but it became apopular area of research a few years ago.
Basically, Ghostscript is a decades-old C codebase implementing an evenolder language specification. Caveat emptor.
Unlike some other similar codebases, like OpenSSL, the situationregarding security researchers and vulnerability disclosure has notreally improved, as far as I can tell :/

Toggle quote (21 lines)> The thumbnailer is run in a container, using bubblewrap and seccomp:> > $ guix graph --type=references gnome-desktop> > [snip]> > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color = darkseagreen];> > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color = darkseagreen];> > [snip]> > $ EDITOR=less guix edit gnome-desktop> > [snip]> > ("bubblewrap" ,bubblewrap)> > [snip]> > $ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c:> > [snip]> > [an add_bwrap function with bind mounts and --unshare-all]> > [a setup_seccomp function]> > [snip]> > Closing.
Great, looks like upstream took care of it for us. There will probablybe more bugs in this area, but that's expected.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBwoW8ACgkQJkb6MLrKfwgMtA//cxmmI7e3DXnzcioZkeySyQQDUUsYIPZeoW2wtLEe/IZeiW2GiIsRxLJcFuixs62HDnnp6fKir2KVaUCPuE9d+m8xVhsU4/1CfzMUT0d9QXFjeQHYZK4GCTCfDNVMrS82UeK4ihExQjyqbrJAdASRq2j3eC6n2vf1i6V0xv41+i0hR7UhonOtBb3o+AKkZR0XFH63E4s6GPIOIaOTzgdxiyla2zKzJFBquad2FmvtvA/5GpOkKRzLRpBCdlA4Mm/i9mt4eq/HpI4welfiyNE/J+4O2P+z5/WXPkPXbUGr1lGZ3ZhKGx7Akf++tKcb8ygu1lXYslm6njRSWQMifSJKoJ0EVTfBNKU7hY8IrgYpJEuskTH9gwucgVZCclDMrt5aYEKxQazeF/wWR+KcjnfsVQ1NhKXkRxQOAvLFLABefBdi8/+LUEyoZKOaX6tap6nVnvwUbWn4hZ4G5ypWX1RjXDUn2b8cwrV8lfVIxaRxoyOOVcPYRjGZORQZf/DptDeS2sW/xrsbJDiUphSgSF+Xh88ccBeub1NFMP1aO2r1ZYXrwBVebdMPIF4in8SlYGgIqRq2orVeXgqx6Xnsm8v5o8Oeq146TclPuR+6MkG/znfase74HlWOH1pA7YjcKeFlC5ew99LVJR1Hfd5RIvA9dqF/9jnABW3qtILeNRGVuE8==qp0B-----END PGP SIGNATURE-----

?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 32515@debbugs.gnu.org