oss-sec mailing list archives
Re: note on gnome shell extensions
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 08 Sep 2012 18:14:10 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/08/2012 04:36 PM, Tavis Ormandy wrote:
List, I just installed Fedora 17 on a workstation. While researching how to upgrade gnome 3 to version 2, I noticed it installed a browser extension called "Gnome Shell Integration". $ rpm -qf /usr/lib64/mozilla/plugins/libgnome-shell-browser-plugin.so gnome-shell-3.4.1-5.fc17.x86_64 The NPPVpluginDescriptionString states "It can be used only by extensions.gnome.org", but I happen to know that is a tricky thing to get right.
Erk yeah not good.
The plugin incorrectly trusted hostname, and initialized. As far as I can tell, the plugin will let you install new shell extensions, I don't know what the impact of that is, can they contain native code? Tavis.
Good news: In theory at least Gnome shell extensions are only JavaScript and (optional) CSS using the Gjs bindings, the JavaScript itself is run using SpiderMonkey. So no native code execution as far as I know. Bad news: It looks like it has bindings to run command lines from within a Gnome Shell Extensions: http://developer.gnome.org/glibmm/unstable/group__Spawn.html http://stackoverflow.com/questions/9606404/gnome-shell-extensions-stdout-from-glib-iochannel - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQS99SAAoJEBYNRVNeJnmTvRYP/1QQ/qjU6nxj+zMqQrYungID B0bhjhEz1HLWqgawKHEd2DlAMwBWXD0WmCiJEI6PONRQscp7N3+t5W9aoDwuKXwt fHu9MX74WdBnMMKYTb/irvzIgeTmmfIgcLTXqlruZU9UkpH2xUBAmFv0K/y1Dlvm sdVJAPWl/OtgPMh97mb/sRAm0ZBh/98MGGE5wjV/4Vy7/J8sxLKlwjEqYZZeDz9y af7idH8+fCSeN3s8o1AVsFn9TBMyXXKuMv0RNJnKp4B7oF3EGQt+clHQM95b567Y pF/vZSf+O0a23uqqXNllPlr5HQLqOfMFhNsiT70QjWDknfxAw6Z3DxtsTQ8I1Xb0 v+z73jjGAaJTISSkn6f1BZ9SA0V5o92AqzvlXQy1CZfDjJPrCPIM29vOsnGJcVkx XJ6Cyl1HI0N+70qTRmBoSdYcamIz7oK+4x9mLA4ThDCyHCrhhr80iAab2MwHFkGi F3UXTOg+kn9nW1b2qBjd+TV5KVMy/Im+HqZBfhtg6uSRcO1mrvzk8fRQENdGqaN/ 4wc03phWzHJR15K2RSLVRAca442SZx7wbEDrb+9bAtHXzvbg/3VH+VhtWchKlcYj lF2PgaeR/pz7W59k2HpjXXqmRorXToMXPguDyyBzve7s2+mlsos8corD6vnBEwCX HHFgSi+B1flhyLj1ZRqq =YjRJ -----END PGP SIGNATURE-----
Current thread:
- note on gnome shell extensions Tavis Ormandy (Sep 08)
- Re: note on gnome shell extensions Kurt Seifried (Sep 08)
- Re: note on gnome shell extensions Vincent Danen (Sep 10)
- Re: note on gnome shell extensions Tavis Ormandy (Sep 13)
- Re: note on gnome shell extensions Marcus Meissner (Sep 13)
- Re: note on gnome shell extensions Vincent Danen (Sep 13)
- Re: note on gnome shell extensions Tavis Ormandy (Sep 13)
- Re: Re: note on gnome shell extensions Vincent Danen (Sep 13)
- Re: Re: note on gnome shell extensions Kurt Seifried (Sep 13)
- Re: Re: note on gnome shell extensions Vincent Danen (Sep 17)
- Re: Re: note on gnome shell extensions Sebastian Krahmer (Sep 17)
- Re: Re: note on gnome shell extensions Vincent Danen (Sep 18)
- Re: note on gnome shell extensions Vincent Danen (Sep 10)
- Re: note on gnome shell extensions Kurt Seifried (Sep 08)