oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: note on gnome shell extensions

From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Thu, 13 Sep 2012 17:39:57 +0200
On Mon, Sep 10, 2012 at 02:48:38PM -0600, Vincent Danen wrote:

* [2012-09-08 18:14:10 -0600] Kurt Seifried wrote:
SUSE has some interesting info in their bug:

https://bugzilla.novell.com/show_bug.cgi?id=779473#c4

By the sounds of it, this should be harmless.  Vincent Untz says that
the browser plugin doesn't actually install the extensions, it's passed
to another process via a dbus call to gnome-shell, which sends the uuid
of the extension to the extensions.gnome.org web site in order to
download the extension.

See:

http://git.gnome.org/browse/gnome-shell/tree/js/ui/shellDBus.js#n305
http://git.gnome.org/browse/gnome-shell/tree/js/ui/extensionDownloader.js#n27

which is:

let message = Soup.form_request_new_from_hash('GET', REPOSITORY_URL_INFO, params);

And REPOSITORY_URL_INFO is hardcoded earlier:

const REPOSITORY_URL_BASE = 'https://extensions.gnome.org&apos;;
const REPOSITORY_URL_DOWNLOAD = REPOSITORY_URL_BASE + '/download-extension/%s.shell-extension.zip';
const REPOSITORY_URL_INFO     = REPOSITORY_URL_BASE + '/extension-info/';
const REPOSITORY_URL_UPDATE   = REPOSITORY_URL_BASE + '/update-info/';

I don't think this is something that can be exploited, based on the
above.


Not sure I follow the logic, can't I just upload something malicious to
extensions.gnome.org and then force you to download it? I mean, I can
try it if you're not convinced it's possible.

They surely do not have a magical technique for determining if my code
is or can become malicious.

Tavis.

-- 
-------------------------------------
taviso () cmpxchg8b com | pgp encrypted mail preferred
-------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: