oss-sec mailing list archives
Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961)
From: Ian Zimmerman <itz () very loosely org>
Date: Wed, 10 Oct 2018 08:49:35 -0700
On 2018-10-10 14:53, Hanno Böck wrote:
evince installs a thumbnail entry to /usr/share/thumbnailers This is a generic location where applications can install files (I believe they follow the .desktop specification, which is an ini-based format). This is thus not nautilus-specific, but every filemanager that uses this format will be affected. A quick googling tells me e.g. pcmanfm is also affected. I'm not sure if dolphin uses them as well.
It seems to be a bug that this directory is under /usr/share, and not under /etc where admins could modify it to selectively disable things. I checked and there is no parallel /etc/thumbnailers directory to drop overriding entries into - though maybe ~/.local/share/thumbnailers would work? But already the fact that I have to guess is a bug :-( By the way, on fedora the /usr/share/thumbnailers entry indeed does belong to the evince package, but there is a separate evince-nautilus package and its description says: : This package contains the evince extension for the nautilus file manager. : It adds an additional tab called "Document" to the file properties dialog. Do you think that removing evince-nautilus would eliminate the nautilus attack vector at least? -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.
Current thread:
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961), (continued)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Perry E. Metzger (Oct 17)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Rich Felker (Oct 17)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Hanno Böck (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Eddie Chapman (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Hanno Böck (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Eddie Chapman (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Hanno Böck (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Emilio Pozuelo Monfort (Oct 11)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Brandon Perry (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Hanno Böck (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Alan Coopersmith (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Ian Zimmerman (Oct 10)