Source: papers Severity: normal X-Debbugs-Cc: [email protected], [email protected], Jamie Strandboge <[email protected]> Control: affects -1 + src:apparmor
Similar to the corresponding bug in src:evince, the papers package (which replaces evince as upstream GNOME's document viewer) has a downstream-added AppArmor profile, heavily based on the one for evince, which originated in Ubuntu. In theory the benefit of this profile (if I'm guessing the history correctly) is that it mitigates security vulnerabilities that might exist in poppler and similar libraries, making it harder for an attacker to exploint those vulnerabilities by supplying a crafted PDF/Postscript/etc. document. However, as with src:evince, in practice there are sandbox escapes that would allow an attacker to bypass it, so at best it makes attacks more difficult. Meanwhile, the cost of this profile is that any time papers or one of its dependencies needs to do something for its normal operation that the author of the profile didn't foresee, that feature will not work, in particular the recent addition of sandboxed image loaders (using glycin via gdk-pixbuf). In papers' short history, we already have a couple of bugs that appear to be caused by the AppArmor profile: <https://bugs.debian.org/1120163>, <https://bugs.debian.org/1099688>. I'm sure there are more, they just haven't been reported yet. Just like evince, I'm now questioning whether the benefit of the AppArmor profile is worth its cost. Would we be better off without it? smcv
