From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id aMDdK8KhcGDEAQAAgWs5BA (envelope-from ) for ; Fri, 09 Apr 2021 20:49:38 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id 8OHVJcKhcGAVUQAAbx9fmQ (envelope-from ) for ; Fri, 09 Apr 2021 18:49:38 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0F30114E9C for ; Fri, 9 Apr 2021 20:49:37 +0200 (CEST) Received: from localhost ([::1]:32870 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUwCA-0005m3-Oj for larch@yhetil.org; Fri, 09 Apr 2021 14:49:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56802) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUwBl-0005kW-3U for bug-guix@gnu.org; Fri, 09 Apr 2021 14:49:06 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:39358) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lUwBh-0000gW-WF for bug-guix@gnu.org; Fri, 09 Apr 2021 14:49:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lUwBh-0006DQ-Ur for bug-guix@gnu.org; Fri, 09 Apr 2021 14:49:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#32515: GNOME thumbnailing code execution vulnerabilities. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 09 Apr 2021 18:49:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 32515 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 32515@debbugs.gnu.org, maximedevos@telenet.be Received: via spool by 32515-submit@debbugs.gnu.org id=B32515.161799410323848 (code B ref 32515); Fri, 09 Apr 2021 18:49:01 +0000 Received: (at 32515) by debbugs.gnu.org; 9 Apr 2021 18:48:23 +0000 Received: from localhost ([127.0.0.1]:50904 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUwB5-0006Ca-JS for submit@debbugs.gnu.org; Fri, 09 Apr 2021 14:48:23 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:35511) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUwB4-0006CN-Io for 32515@debbugs.gnu.org; Fri, 09 Apr 2021 14:48:22 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 6880B5C0106; Fri, 9 Apr 2021 14:48:17 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Fri, 09 Apr 2021 14:48:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=JYClHokHTAPgI6ZhXE5nrMhC MRkgzHQpKy6vIabAf9I=; b=M2Du+BSTnqZCCDZmEJGs6ISQGkBUPcCveLZTGZ1u PkkeRaCCZFXVDGCFy/LgAAzBy2tiTk2E3ffN9fGoxEaoVfoI+uTnlxZ9lhkDfMyk Yjyzy5yKPltziGWK01rQUV+E9CdaZ0IWHt+RqRWgoJwtL9W9OkmHQeI635DWrSIj 42E= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=JYClHo kHTAPgI6ZhXE5nrMhCMRkgzHQpKy6vIabAf9I=; b=NG4X9AL6S4ZT6wKlJg4hb+ J2ZLCi61/85o1P5r5Hat1/6G05zmAGBOuf+ZktGA0sGPYbsnLF2ZZsFIgLeLTEHB e5M+gAt4ID3X547eeXNPaAh18z95qMM+20qo2AD7xOheePBlZ2VaGY8YZ/9wlNVD swJPtqG5eu4at00miX6T+XnS+sGrDN/+8SNXEAaKCMj3jQnVbhpTR2THkuJCJZM0 DrnjCTLz9ekryyz5QuLzZUXDKoBlISvdLdbC4OuD4dw7+zaez/wUyKWyWZZrXMgt HN1GNsfjaybrpYN2w6hZyF6p5rkiZxY5IVqsrZsk6ZGlOUqgb2GgDMgxgWaEsxcg == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudekuddgudeffecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehgtd erredttdejnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeeigffhfeeftdffkeevkedttdeike efffeltdfgveekkeetueeftdefhfeghfekfeenucfkphepuddttddruddurdduieelrddu udeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplh gvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id F329C24005C; Fri, 9 Apr 2021 14:48:16 -0400 (EDT) Date: Fri, 9 Apr 2021 14:48:15 -0400 From: Leo Famulari Message-ID: References: <20180823210151.GA18406@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7HoWTw7M1b5Wcc2d" Content-Disposition: inline In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617994178; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=JYClHokHTAPgI6ZhXE5nrMhCMRkgzHQpKy6vIabAf9I=; b=Fqd27oCjmHTV4Mg/MdrAVP/oROtJ3AkLdWibLu4IiqwrzQhH3vbMWQOyBa5uZscXb8z7W5 HvDWTMafTyP5OYd8ssYGOej9bg2SPTIKAFRhCFXgn/UJuzo6qGrqM00gLyOI281S7LwTTz 48AUWGk2fq2lTwv2iyShms+Gk8U6Sqmk18d00dl8jF4+za4XPNv6DOGtCGHbp9okE1LJF9 rf1Yjc4Y1NZ6suPcLgbg+yBAWeqgDnaS61eoBOr4xIQhE7UxEcxPO7e8p0oyjKMOzFKqEe 0pCwaJzMlyVA6PPR/P60v0XKiOG5ijHBzNuPqxGYdy9ef5f4DKugBFObbs4fqQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617994178; a=rsa-sha256; cv=none; b=EKahCFrK84SW+A2FFV5XAwu9eMUR1mEWwnzmGk9ropvHDg4X0amgs2spjL+fXR1a7LdOr6 MGoiFG6jOaJH1da2KTy6ML0jHpt8/p1j3kKfZjA6R7a0ZHVF8WQS1umv58ewV2kXQJ2Ume fZ3bc/aGhWYw2watjzwE6TWV/bDFS7q5j5xIVWCGrCsY2rG6yvN3YOr6Dm04gXNYfxu1AW YnWpkcdRPMTX76AIGx/NYVKNW7+mHvR1Qk2aPpo1k1Qo7dJS5ilCmocZo+ZQPZqYEvnnGq 61XvcYoOiDm1GETryAi8wiA2D9tC8pAcYP167/dhpfYu+7dtOrYymqBIuzapkQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=M2Du+BST; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=NG4X9AL6; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.54 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=M2Du+BST; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=NG4X9AL6; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 0F30114E9C X-Spam-Score: -3.54 X-Migadu-Scanner: scn0.migadu.com X-TUID: iRPvGoD2LvTb --7HoWTw7M1b5Wcc2d Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 09, 2021 at 03:51:21PM +0200, Maxime Devos wrote: > Leo Famulari (26 Feb 2019) wrote: > > Since this bug was filed, Ghostscript has received more scrutiny and > > serious bugs continue to be found. >=20 > I assume you meant =E2=80=98fixed=E2=80=99. I did not mean 'fixed'. As far as I know, no work was done in Guix about this bug. 'filed' is definitely the correct interpretation; security researchers ignored postscript / Ghostcript for a very long time, but it became a popular area of research a few years ago. Basically, Ghostscript is a decades-old C codebase implementing an even older language specification. Caveat emptor. Unlike some other similar codebases, like OpenSSL, the situation regarding security researchers and vulnerability disclosure has not really improved, as far as I can tell :/ > The thumbnailer is run in a container, using bubblewrap and seccomp: >=20 > $ guix graph --type=3Dreferences gnome-desktop > > [snip] > > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "= /gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color =3D da= rkseagreen]; > > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "= /gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color =3D da= rkseagreen]; > > [snip] >=20 > $ EDITOR=3Dless guix edit gnome-desktop > > [snip] > > ("bubblewrap" ,bubblewrap) > > [snip] >=20 > $ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c: > > [snip] > > [an add_bwrap function with bind mounts and --unshare-all] > > [a setup_seccomp function] > > [snip] >=20 > Closing. Great, looks like upstream took care of it for us. There will probably be more bugs in this area, but that's expected. --7HoWTw7M1b5Wcc2d Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBwoW8ACgkQJkb6MLrK fwgMtA//cxmmI7e3DXnzcioZkeySyQQDUUsYIPZeoW2wtLEe/IZeiW2GiIsRxLJc Fuixs62HDnnp6fKir2KVaUCPuE9d+m8xVhsU4/1CfzMUT0d9QXFjeQHYZK4GCTCf DNVMrS82UeK4ihExQjyqbrJAdASRq2j3eC6n2vf1i6V0xv41+i0hR7UhonOtBb3o +AKkZR0XFH63E4s6GPIOIaOTzgdxiyla2zKzJFBquad2FmvtvA/5GpOkKRzLRpBC dlA4Mm/i9mt4eq/HpI4welfiyNE/J+4O2P+z5/WXPkPXbUGr1lGZ3ZhKGx7Akf++ tKcb8ygu1lXYslm6njRSWQMifSJKoJ0EVTfBNKU7hY8IrgYpJEuskTH9gwucgVZC clDMrt5aYEKxQazeF/wWR+KcjnfsVQ1NhKXkRxQOAvLFLABefBdi8/+LUEyoZKOa X6tap6nVnvwUbWn4hZ4G5ypWX1RjXDUn2b8cwrV8lfVIxaRxoyOOVcPYRjGZORQZ f/DptDeS2sW/xrsbJDiUphSgSF+Xh88ccBeub1NFMP1aO2r1ZYXrwBVebdMPIF4i n8SlYGgIqRq2orVeXgqx6Xnsm8v5o8Oeq146TclPuR+6MkG/znfase74HlWOH1pA 7YjcKeFlC5ew99LVJR1Hfd5RIvA9dqF/9jnABW3qtILeNRGVuE8= =qp0B -----END PGP SIGNATURE----- --7HoWTw7M1b5Wcc2d--