** Tags added: bionic disco -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-desktop3 in Ubuntu. https://bugs.launchpad.net/bugs/715874
Title: gnome thumbnailers should have an apparmor profile Status in gnome-desktop3 package in Ubuntu: Triaged Status in gnome-utils package in Ubuntu: Triaged Status in totem package in Ubuntu: Triaged Bug description: Binary package hint: gnome-control-center Nautilus normally uses gnome-thumbnail-font, to provide font previews. Eg: $ gconftool-2 -g /desktop/gnome/thumbnailers/application@x-font-ttf/enable true $ gconftool-2 -g /desktop/gnome/thumbnailers/application@x-font-ttf/command gnome-thumbnail-font %u %o If a flaw is discovered in a font library or Gnome and a user navigates to a directory that has a malicious font file, gnome- thumbnail-font could be used to execute arbitrary code, write out to files or leak information. Providing an apparmor profile for gnome- thumbnail-font would be a good step towards proactively protecting the user from this sort of attack. The same can be said for other thumbnailers. Nautilus also uses totem- video-thumbnail and evince-thumbnailer (evince-thumbnailer has an apparmor profile already). For images, nautilus uses gdk-pixbuf routines via gnome-desktop, but these can be altered to use evince- thumbnailer by installing schema files for the various image mime- types and updating gnome-desktop to not fallback to gdk-pixbuf on thumbnail script error. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-desktop3/+bug/715874/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp