Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 10 Oct 2018 08:46:05 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com,
        Hanno Böck
 <hanno@...eck.de>
Subject: Re: ghostscript: bypassing executeonly to escape
 -dSAFER sandbox (CVE-2018-17961)

On 10/10/18 05:53 AM, Hanno Böck wrote:
> Nautilus is trying to solve this by sandboxing the thumbnailers.
> However this depends on bubblewrap and is currently fail-open, i.e. if
> bubblewrap is not available it will not disable the thumbnailing, it
> will just not sandbox it. In practice this means it's often not
> sandboxed. I doubt this will change any time soon.

And bubblewrap is very specific to running on a Linux kernel, so users
of GNOME on top of other kernels are also left unprotected by it.

-- 
	-Alan Coopersmith-               alan.coopersmith@...cle.com
	 Oracle Solaris Engineering - https://blogs.oracle.com/alanc

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.