Recently a GNOMEr pointed me to a blog post from someone that found a security issue with a thumbnailer called gnome-exe-thumbnailer which tries to thumbnail MSI files and parses VBScripts using Wine, and unfortunately it allowed execution of random code.
How thumbnailers works is that we allow libraries to register as thumbnailers to be used by our generic thumbnailing framework, and although they are out of process, they are not sandboxed. You can understand this issue as if it would be a plugin that has a security flaw.
This would have been a regular CVE in gnome-exe-thumbnailer and world would have move on, however the problem came when the author pointed out the fix was “Don’t use GNOME Files” and the framing of the blog post was, from my point of vision, misleading.
In reality this affect anyone using this thumbnailer, including MATE, XFCE, etc., the project has nothing to do with GNOME, we have never heard of it, and some distributions don’t even have it in their repositories (in this case I checked RHEL and Fedora and they don’t have it). I also find quite disrespectful towards whoever wrote that library to not raise a bug privately, and instead made a public blog post.
The CVE in question, named “Bad Taste” (with even a logo(!) of a wine glass) can be found here.
Does this affects me?
Probably not, since you would have need to install this library on purpose and also use a distribution like Debian/Ubuntu (so far what I checked) that includes it.
However be careful if you do since quite a few programs would use that thumbnailer, including Totem, Eye of GNOME, etc. and there is no way to disable thumbnailing on those (ironically Nautilus does allow to disable thumbnailing).
Uninstall gnome-exe-thumbnailer :). You can still use Nautilus.
Can GNOME do something?
Yes. We can sandbox thumbnailers (with the same technology as Flatpak, called bwrap). Work is actually almost done over the last 6 months, and hopefully will be merged and relesed soon.
This is also a reminder to all of us that we should move to a world of more sandboxed applications and plugins. This is actually one of the top priority items for us. In that front we have been working hard and pushing as much as we can with Flatpak to create a world of sandboxed apps. If you are interested on the security side of applications, you are welcome to help us shaping the future of it.
In conclusion, it takes 2 minutes to contact any of us and verify your statements/blog post/tech news. Please do, before posting.
As a take away, grab this mojito🍹 and fix the “Bad Taste” 😉