Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 08 Sep 2012 18:14:10 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Tavis Ormandy <taviso@...xchg8b.com>
Subject: Re: note on gnome shell extensions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/08/2012 04:36 PM, Tavis Ormandy wrote:
> List, I just installed Fedora 17 on a workstation. While
> researching how to upgrade gnome 3 to version 2, I noticed it
> installed a browser extension called "Gnome Shell Integration".
> 
> $ rpm -qf
> /usr/lib64/mozilla/plugins/libgnome-shell-browser-plugin.so 
> gnome-shell-3.4.1-5.fc17.x86_64
> 
> The NPPVpluginDescriptionString states "It can be used only by 
> extensions.gnome.org", but I happen to know that is a tricky thing
> to get right.

Erk yeah not good.

> The plugin incorrectly trusted hostname, and initialized. As far as
> I can tell, the plugin will let you install new shell extensions, I
> don't know what the impact of that is, can they contain native
> code?
> 
> Tavis.

Good news: In theory at least Gnome shell extensions are only
JavaScript and (optional) CSS using the Gjs bindings, the JavaScript
itself is run using SpiderMonkey. So no native code execution as far
as I know.

Bad news: It looks like it has bindings to run command lines from
within a Gnome Shell Extensions:

http://developer.gnome.org/glibmm/unstable/group__Spawn.html
http://stackoverflow.com/questions/9606404/gnome-shell-extensions-stdout-from-glib-iochannel

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQS99SAAoJEBYNRVNeJnmTvRYP/1QQ/qjU6nxj+zMqQrYungID
B0bhjhEz1HLWqgawKHEd2DlAMwBWXD0WmCiJEI6PONRQscp7N3+t5W9aoDwuKXwt
fHu9MX74WdBnMMKYTb/irvzIgeTmmfIgcLTXqlruZU9UkpH2xUBAmFv0K/y1Dlvm
sdVJAPWl/OtgPMh97mb/sRAm0ZBh/98MGGE5wjV/4Vy7/J8sxLKlwjEqYZZeDz9y
af7idH8+fCSeN3s8o1AVsFn9TBMyXXKuMv0RNJnKp4B7oF3EGQt+clHQM95b567Y
pF/vZSf+O0a23uqqXNllPlr5HQLqOfMFhNsiT70QjWDknfxAw6Z3DxtsTQ8I1Xb0
v+z73jjGAaJTISSkn6f1BZ9SA0V5o92AqzvlXQy1CZfDjJPrCPIM29vOsnGJcVkx
XJ6Cyl1HI0N+70qTRmBoSdYcamIz7oK+4x9mLA4ThDCyHCrhhr80iAab2MwHFkGi
F3UXTOg+kn9nW1b2qBjd+TV5KVMy/Im+HqZBfhtg6uSRcO1mrvzk8fRQENdGqaN/
4wc03phWzHJR15K2RSLVRAca442SZx7wbEDrb+9bAtHXzvbg/3VH+VhtWchKlcYj
lF2PgaeR/pz7W59k2HpjXXqmRorXToMXPguDyyBzve7s2+mlsos8corD6vnBEwCX
HHFgSi+B1flhyLj1ZRqq
=YjRJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.