Clarification on a recent security flaw on a thumbnailer

Recently a GNOMEr pointed me to a blog post from someone that found a security issue with a thumbnailer called gnome-exe-thumbnailer which tries to thumbnail MSI files and parses VBScripts using Wine, and unfortunately it allowed execution of random code.

How thumbnailers works is that we allow libraries to register as thumbnailers to be used by our generic thumbnailing framework, and although they are out of process, they are not sandboxed. You can understand this issue as if it would be a plugin that has a security flaw.

This would have been a regular CVE in gnome-exe-thumbnailer and world would have move on, however the problem came when the author pointed out the fix was “Don’t use GNOME Files” and the framing of the blog post was, from my point of vision, misleading.

In reality this affect anyone using this thumbnailer, including MATE, XFCE, etc., the project has nothing to do with GNOME, we have never heard of it, and some distributions don’t even have it in their repositories (in this case I checked RHEL and Fedora and they don’t have it). I also find quite disrespectful towards whoever wrote that library to not raise a bug privately, and instead made a public blog post.

The CVE in question, named “Bad Taste” (with even a logo(!) of a wine glass) can be found here.

Does this affects me?

Probably not, since you would have need to install this library on purpose and also use a distribution like Debian/Ubuntu (so far what I checked) that includes it.

However be careful if you do since quite a few programs would use that thumbnailer, including Totem, Eye of GNOME, etc. and there is no way to disable thumbnailing on those (ironically Nautilus does allow to disable thumbnailing).

The fix

Uninstall gnome-exe-thumbnailer :). You can still use Nautilus.

Can GNOME do something?

Yes. We can sandbox thumbnailers (with the same technology as Flatpak, called bwrap). Work is actually almost done over the last 6 months, and hopefully will be merged and relesed soon.

This is also a reminder to all of us that we should move to a world of more sandboxed applications and plugins. This is actually one of the top priority items for us. In that front we have been working hard and pushing as much as we can with Flatpak to create a world of sandboxed apps. If you are interested on the security side of applications, you are welcome to help us shaping the future of it.

In conclusion, it takes 2 minutes to contact any of us and verify your statements/blog post/tech news. Please do, before posting.

As a take away, grab this mojito🍹 and fix the “Bad Taste” 😉

Advertisements

8 thoughts on “Clarification on a recent security flaw on a thumbnailer

  1. Hope a more structured extension API is drafted for gnome-shell so that many of the extensions can be sandboxed in the future. Look at what people created over the years, sort by popularity and design the api with that in mind. Migrate once enough extensions have been ported over similar to how control center has been handled.

      1. “This is also a reminder to all of us that we should move to a world of more sandboxed applications and plugins. This is actually one of the top priority items for us. In that front we have been working hard and pushing as much as we can with Flatpak to create a world of sandboxed apps. If you are interested on the security side of applications, you are welcome to help us shaping the future of it.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s