Ghostscript and GNOME thumbnailing code execution vulnerabilities

  • Done
  • quality assurance status badge
Details
3 participants
  • Leo Famulari
  • Ludovic Courtès
  • Maxime Devos
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 23 Aug 2018 23:01
GNOME thumbnailing code execution vulnerabilities
(address . bug-guix@gnu.org)
20180823210151.GA18406@jasmine.lan
In some configurations of the GNOME and KDE desktops (and maybe others),
there is a remote code execution vulnerability via the Nautilus
thumbnailing system, via Evince and Ghostscript:

"My colleague Jann Horn pointed out evince (which uses libgs, which is
affected with some tweaks to the PoC) is used to generate previews in
Nautilus, which means previews can trigger code execution (see
/usr/share/thumbnailers/evince.thumbnailer). I think it's possible to
trigger that via file automatic download in a browser just by visiting a
URL, but I haven't tested it." [0]

Our Evince package is configured with '--disable-nautilus' [1]. Does
this avoid the problem for us?

I'm not using a graphical GuixSD system so I can't test this easily. Can
someone who is using GNOME on GuixSD poke around and let us know what
they find?

Desktop thumbnailing is a convenient feature, so it would be good if it
worked safely. Apparently GNOME is able to run the thumbnailer in a
container [2]; we should try to make sure that works.

[0]

[1]

[2]
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlt/IL8ACgkQJkb6MLrK
fwiTzw/9HVEKINE7zPl1QmZomYvT6Z/g6royQDgkcmRWAJS4riUwDH41BclSkE+u
v+pOWkx+icXK8HLt+dkmBWVecieswRx/idnNGUZpvjprFoj30yxPhnpc9nbTeM1R
xIr2d9vEyLJHd+FbDanmDFqxKdp7/U5Imn+XYhI73Y2Zoq8R40jr+7lVht4Qfgjd
J7Fl9OG7Puy78vfQVc9XhxYNmOhzNt7bZncECVhLfwLTUVmZf86oD5KaMg11wpOP
nLBMO863gVKJXPU/F7H1hfUq03AezaPZSAXCQr7d9lvteMbQwp1+PMoKhHIWF1ro
fjXyth9+UNXbv1IDM+Oiv9VfVpjApitfypFAcLL5QfGuqsknZtHNtDoIDavuBekP
eAhODq1eK4oiNyxL0to8lHMaUy+ZVNJ98c6ig89rRsthpMaQVbS27t5vsqm3bZuP
PmnfrKEgfQP8z3kPVNjySExY1prIbH+r1O4FFXwMjpxfc+SJ564+sE0qPnDrYnNy
LLX3cB6ExQ4VTUd9ChPe+0oCcyUCA1ng1SULMki4JjeMeZdmbK55En4lmiB3PoP7
aQXdjhgRSmVDAOCs+DrG45HJUHWiRENvK++CWpaSG6WW1VllvSoqD/GaPTc8PATT
Rz84QjcG/Hag4AfEIDkMQMoN8IHbNYa/FGwRrT3SGH7hsH+TP7E=
=FEkj
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 29 Aug 2018 22:33
control message for bug #32515
(address . control@debbugs.gnu.org)
871sagap5m.fsf@gnu.org
tags 32515 security
L
L
Leo Famulari wrote on 26 Feb 2019 00:37
(no subject)
(address . control@debbugs.gnu.org)
20190225233730.GA16892@jasmine.lan
retitle 32515 "Ghostscript and GNOME thumbnailing code execution vulnerabilities"
L
L
Leo Famulari wrote on 26 Feb 2019 00:39
Re: GNOME thumbnailing code execution vulnerabilities
(address . 32515@debbugs.gnu.org)
20190225233906.GA16808@jasmine.lan
Since this bug was filed, Ghostscript has received more scrutiny and
serious bugs continue to be found.

The recommendation of the researchers seems to be to disable and remove
Ghostscript unless a Postcript interpreter is actually necessary.

Barring that, we should keep our package up to date and try to make sure
the GNOME thumbnailer and other "hidden" users of Ghostscript are run in
containers.

Is anyone willing to look into the GNOME thumbnailer?
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlx0fJoACgkQJkb6MLrK
fwhtJhAA6BTLJaWa9YBrWBEUJ+3EMZrOYPro0BTDSpoTHPJ8rHE8Ux+8rBoJMXPb
T6zGNquqqAenrv77RTddmKUUPtPig9jCEOr7jjx6tgV0fU7GjpOp+WSv7VsTz5gZ
EnFVKo7fnf6tymZ87Anca7bCFT0PewLrcsVKPAcX7WMCO5jll1kLQ8k1zRQLk1Hh
4+iAzP35XxhBih8D/tfbRf0CboW+47IR7awVLS5W5InXVpeAVR0p/wltrKhp9Egx
Cnp8GcxR5LUBzzcLcPrdrAsOtDM/x5ak4R81wzty9b1u66/4cUyQCF+RAaHcjj8p
GIBaO4rUgXMk3PB4JZNIRO4JloD5djp6CZhjVfjACZbP6OgFPF3Dp1mF1neuMHrW
bcyCNU5PQMnDzqK0sPhFwAxRds8MXFH9PofWE90lwrwgXXrv+a8oMydJ+62UWulD
4dyKUV1MgZMJ2H7n4hyEBiC0RHIwtROjTZmHCFH4ZkQ/24h8OKZofvjSr6Ec4ffe
yhzKwjHSk4IKj9jTYNVs9MRKRMdBR87gvAxvVRm3lAwXhTrJg/oZNQqNXT4iNA50
SupiuyaOJRciNQgaSSJhBlxn9lehzTeQIZsksnY/u/LBG5IZn0KZtq2D6BMROYNA
/NaXXIBUBieA+EMaE0Kbb5BY1z+vMzY5kGej1Rfksuoh1LzFiUY=
=XooQ
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 26 Feb 2019 00:39
(no subject)
(address . control@debbugs.gnu.org)
20190225233938.GA17000@jasmine.lan
retitle 32515 Ghostscript and GNOME thumbnailing code execution vulnerabilities
M
M
Maxime Devos wrote on 9 Apr 2021 15:51
Re: GNOME thumbnailing code execution vulnerabilities.
(address . 32515-done@debbugs.gnu.org)
eab5115f9c793066da9f2146b265216a02580707.camel@telenet.be
Leo Famulari (26 Feb 2019) wrote:
Toggle quote (3 lines)
> Since this bug was filed, Ghostscript has received more scrutiny and
> serious bugs continue to be found.

I assume you meant ‘fixed’.

Toggle quote (3 lines)
> [...]
> Barring that, we should keep our package up to date

ghostscript can be updated to 9.54 (https://ghostscript.com/download/gsdnld.html).
This will require grafts due to many depending packages.
However, looking at
it seems there are no known security vulnerabilities.

evince can be updated from 3.36.5 to 40.0 according to "guix refresh",
that would be done in https://issues.guix.gnu.org/47643 think.

Toggle quote (4 lines)
> and try to make sure
> the GNOME thumbnailer and other "hidden" users of Ghostscript are run in
> containers.

The thumbnailer is run in a container, using bubblewrap and seccomp:

$ guix graph --type=references gnome-desktop
Toggle quote (5 lines)
> [snip]
> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color = darkseagreen];
> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color = darkseagreen];
> [snip]

$ EDITOR=less guix edit gnome-desktop
Toggle quote (4 lines)
> [snip]
> ("bubblewrap" ,bubblewrap)
> [snip]

$ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c:
Toggle quote (5 lines)
> [snip]
> [an add_bwrap function with bind mounts and --unshare-all]
> [a setup_seccomp function]
> [snip]

Closing.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYHBb2RccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7p0FAQDt1/k2GEcZVc80i3MaOqVCq7xq
Sd3Le1hiG8vFBvmEawD7BbBFGSmp32JIX3RJrPBG/6bjpAfkK7wfNFjZs+JOcg4=
=2IaK
-----END PGP SIGNATURE-----


Closed
L
L
Leo Famulari wrote on 9 Apr 2021 20:48
Re: bug#32515: GNOME thumbnailing code execution vulnerabilities.
YHChb8uiuwtTQq/s@jasmine.lan
On Fri, Apr 09, 2021 at 03:51:21PM +0200, Maxime Devos wrote:
Toggle quote (6 lines)
> Leo Famulari (26 Feb 2019) wrote:
> > Since this bug was filed, Ghostscript has received more scrutiny and
> > serious bugs continue to be found.
>
> I assume you meant ‘fixed’.

I did not mean 'fixed'. As far as I know, no work was done in Guix about
this bug.

'filed' is definitely the correct interpretation; security researchers
ignored postscript / Ghostcript for a very long time, but it became a
popular area of research a few years ago.

Basically, Ghostscript is a decades-old C codebase implementing an even
older language specification. Caveat emptor.

Unlike some other similar codebases, like OpenSSL, the situation
regarding security researchers and vulnerability disclosure has not
really improved, as far as I can tell :/


Toggle quote (21 lines)
> The thumbnailer is run in a container, using bubblewrap and seccomp:
>
> $ guix graph --type=references gnome-desktop
> > [snip]
> > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color = darkseagreen];
> > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color = darkseagreen];
> > [snip]
>
> $ EDITOR=less guix edit gnome-desktop
> > [snip]
> > ("bubblewrap" ,bubblewrap)
> > [snip]
>
> $ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c:
> > [snip]
> > [an add_bwrap function with bind mounts and --unshare-all]
> > [a setup_seccomp function]
> > [snip]
>
> Closing.

Great, looks like upstream took care of it for us. There will probably
be more bugs in this area, but that's expected.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBwoW8ACgkQJkb6MLrK
fwgMtA//cxmmI7e3DXnzcioZkeySyQQDUUsYIPZeoW2wtLEe/IZeiW2GiIsRxLJc
Fuixs62HDnnp6fKir2KVaUCPuE9d+m8xVhsU4/1CfzMUT0d9QXFjeQHYZK4GCTCf
DNVMrS82UeK4ihExQjyqbrJAdASRq2j3eC6n2vf1i6V0xv41+i0hR7UhonOtBb3o
+AKkZR0XFH63E4s6GPIOIaOTzgdxiyla2zKzJFBquad2FmvtvA/5GpOkKRzLRpBC
dlA4Mm/i9mt4eq/HpI4welfiyNE/J+4O2P+z5/WXPkPXbUGr1lGZ3ZhKGx7Akf++
tKcb8ygu1lXYslm6njRSWQMifSJKoJ0EVTfBNKU7hY8IrgYpJEuskTH9gwucgVZC
clDMrt5aYEKxQazeF/wWR+KcjnfsVQ1NhKXkRxQOAvLFLABefBdi8/+LUEyoZKOa
X6tap6nVnvwUbWn4hZ4G5ypWX1RjXDUn2b8cwrV8lfVIxaRxoyOOVcPYRjGZORQZ
f/DptDeS2sW/xrsbJDiUphSgSF+Xh88ccBeub1NFMP1aO2r1ZYXrwBVebdMPIF4i
n8SlYGgIqRq2orVeXgqx6Xnsm8v5o8Oeq146TclPuR+6MkG/znfase74HlWOH1pA
7YjcKeFlC5ew99LVJR1Hfd5RIvA9dqF/9jnABW3qtILeNRGVuE8=
=qp0B
-----END PGP SIGNATURE-----


?