In some configurations of the GNOME and KDE desktops (and maybe others), there is a remote code execution vulnerability via the Nautilus thumbnailing system, via Evince and Ghostscript:
"My colleague Jann Horn pointed out evince (which uses libgs, which is affected with some tweaks to the PoC) is used to generate previews in Nautilus, which means previews can trigger code execution (see /usr/share/thumbnailers/evince.thumbnailer). I think it's possible to trigger that via file automatic download in a browser just by visiting a URL, but I haven't tested it." [0] Our Evince package is configured with '--disable-nautilus' [1]. Does this avoid the problem for us? I'm not using a graphical GuixSD system so I can't test this easily. Can someone who is using GNOME on GuixSD poke around and let us know what they find? Desktop thumbnailing is a convenient feature, so it would be good if it worked safely. Apparently GNOME is able to run the thumbnailer in a container [2]; we should try to make sure that works. [0] http://seclists.org/oss-sec/2018/q3/143 [1] https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gnome.scm?id=16b0e8da48ef9398797a22e274d5fcb37e24e448#n743 [2] https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164
signature.asc
Description: PGP signature
