Re: [DNG] VBScript Injection via GNOME Thumbnailer
On Tue, Jul 18, 2017 at 08:06:12AM +0200, Joachim Fahrner wrote: > Another nice bug in Gnome: > http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html Actually, it turns out it's not a Gnome component: Maintainer: Debian Wine Party Current upstream: https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer Original upstream: https://wiki.ubuntu.com/karmic-wine-integration So the blame is misplaced. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ A dumb species has no way to open a tuna can. ⢿⡄⠘⠷⠚⠋⠀ A smart species invents a can opener. ⠈⠳⣄ A master species delegates. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
Hi, Adam Borowski writes: > On Wed, Jul 19, 2017 at 08:28:25PM +0900, Olaf Meeuwissen wrote: >> Adam Borowski writes: >> > On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote: >> >> Actually, imagemagick is one of worst offenders here. The version in >> >> Jessie >> >> is at deb8u9, and every security update tends to mention ~20 CVEs. >> > >> > ... nd, just hours later, here comes deb8u10: >> > >> > # Package: imagemagick >> > # CVE ID : CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501 >> > # CVE-2017-10928 CVE-2017-11141 CVE-2017-11170 >> > # CVE-2017-11360 CVE-2017-11188 >> > # Debian Bug : 863126 867367 867778 867721 864273 864274 867806 868264 >> > # 868184 867810 867808 867811 867812 867896 867798 867821 >> > # 867824 867825 867826 867893 867823 867894 867897 >> >> Totally untested, but you might try to replace imagemagick with >> graphicsmagick. It's at deb8u ;-) My bad, graphicsmagick is at deb8u2. Are the security conscious just picking on imagemagick or graphicsmagick is less susceptible? Dunno. > It's a fork, so it suffers from same vulnerabilities as imagemagick. It > might get better only after someone rewrites everything from scratch (in > which case there'll be a whole new set of bugs). Devuan is a fork of Debian. I think we both agree that the former suffers at least one problem less than the latter ;-) By the same or at least a very similar token, I would hope that perhaps graphicsmagick suffers from a few less vulnerabilities than imagemagick. True, I have no hard data to back that up. It was just a suggestion. I've used the CLI and library C/C++ APIs of both in the past, and through that have developed a better opinion of graphicsmagick. It was forked 15(!) years ago. ImageMagick has had a reputation of willy-nilly changing CLI and library APIs as well as image processing results between versions. GraphicsMagick has on the whole been a lot more stable in that respect so I would *guess* that its developers have been able to shake out most vulnerabilities over the years without introducing many new ones. Just a thought, -- Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
On Wed, Jul 19, 2017 at 08:28:25PM +0900, Olaf Meeuwissen wrote: > Adam Borowski writes: > > On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote: > >> Actually, imagemagick is one of worst offenders here. The version in > >> Jessie > >> is at deb8u9, and every security update tends to mention ~20 CVEs. > > > > ... nd, just hours later, here comes deb8u10: > > > > # Package: imagemagick > > # CVE ID : CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501 > > # CVE-2017-10928 CVE-2017-11141 CVE-2017-11170 > > # CVE-2017-11360 CVE-2017-11188 > > # Debian Bug : 863126 867367 867778 867721 864273 864274 867806 868264 > > # 868184 867810 867808 867811 867812 867896 867798 867821 > > # 867824 867825 867826 867893 867823 867894 867897 > > Totally untested, but you might try to replace imagemagick with > graphicsmagick. It's at deb8u ;-) It's a fork, so it suffers from same vulnerabilities as imagemagick. It might get better only after someone rewrites everything from scratch (in which case there'll be a whole new set of bugs). -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ A dumb species has no way to open a tuna can. ⢿⡄⠘⠷⠚⠋⠀ A smart species invents a can opener. ⠈⠳⣄ A master species delegates. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
Hi, Adam Borowski writes: > On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote: >> Actually, imagemagick is one of worst offenders here. The version in Jessie >> is at deb8u9, and every security update tends to mention ~20 CVEs. > > ... nd, just hours later, here comes deb8u10: > > # Package: imagemagick > # CVE ID : CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501 > # CVE-2017-10928 CVE-2017-11141 CVE-2017-11170 > # CVE-2017-11360 CVE-2017-11188 > # Debian Bug : 863126 867367 867778 867721 864273 864274 867806 868264 > # 868184 867810 867808 867811 867812 867896 867798 867821 > # 867824 867825 867826 867893 867823 867894 867897 Totally untested, but you might try to replace imagemagick with graphicsmagick. It's at deb8u ;-) Hope this helps, -- Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote: > Actually, imagemagick is one of worst offenders here. The version in Jessie > is at deb8u9, and every security update tends to mention ~20 CVEs. ... nd, just hours later, here comes deb8u10: # Package: imagemagick # CVE ID : CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501 # CVE-2017-10928 CVE-2017-11141 CVE-2017-11170 # CVE-2017-11360 CVE-2017-11188 # Debian Bug : 863126 867367 867778 867721 864273 864274 867806 868264 # 868184 867810 867808 867811 867812 867896 867798 867821 # 867824 867825 867826 867893 867823 867894 867897 # # This updates fixes several vulnerabilities in imagemagick: Various # memory handling problems and cases of missing or incomplete input # sanitising may result in denial of service, memory disclosure or the # execution of arbitrary code if malformed RLE, SVG, PSD, PDB, DPX, MAT, # TGA, VST, CIN, DIB, MPC, EPT, JNG, DJVU, JPEG, ICO, PALM or MNG # files are processed. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ A dumb species has no way to open a tuna can. ⢿⡄⠘⠷⠚⠋⠀ A smart species invents a can opener. ⠈⠳⣄ A master species delegates. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
On 2017-07-18 20:07, Adam Borowski wrote: > On Tue, Jul 18, 2017 at 06:15:20PM +, Daniel Abrecht wrote: >> Since thumbnails have to be generated somehow, they need some kind of >> generator. To use plugins, which are resembled by executables in this >> case, is a perfectly fine approach for this. > > Uhm, but why? I can understand a thumbnail for an image file: it may be > useful to see what's inside without having to open it. But there's a limit > to thumbnailing. If it's an .exe, give it an icon that says "EXE" (or a > broken four-panelled window image), and that's it. It isn't possible to predict every image/file type a user may have to deal with, therefore others need a way to add support for not per default supported file formats. Additionally, if a developer writes a program, a 3D game for example, and it uses a custom file format, for a game level for example, said developer may want to add thumbnails to those files. A plugin system allows for this, and it enables the developer to choose to include a thumbnailer, it leaves the choice to include the thumbnailer in a package to it's package maintainer, and it allows the user to install or remove the thumbnailer. If there is no thumbnailer, a default icon for the file is used. At any point, anyone can decide if they want generated thumbnails for certain file types or not. That said, I don't see a reason to not provide a way to display thumbnails for exotic file types. I don't even see a problem in generating thumbnails for exe files. Most exe fils are just like some archive file containing some icon files, so whats wrong with someone providing a thumbnailer extracting those icons? Why should that be any more dangerous than generating thumbnails for any kind of image? There is no reason any thumbnail generator couldn't have any bugs, therefore it would make the most sense to prevent bugs in thumbnailers to have any security impact. >> The real problem is that despite it's well known that thumbnail >> generators have a really big attack surface, nothing has been done to >> limit the impact of vulnerabilities in thumbnail generators. > [...] >> My guess on why noone actually does this is because it would break any >> existing thumbnailer and programs like imagemagic couldn't be used for >> thumbnail generation anymore. > > Actually, imagemagick is one of worst offenders here. The version in Jessie > is at deb8u9, and every security update tends to mention ~20 CVEs. Yes, I know. I didn't mean to imply that keeping existing thumbnail generators or using imagemagick for thumbnail generation is a good thing. I just tried to reason why thumbnails may still be generated in an insecure manner. If I had the choice between keeping every desktop system insecure forever or breaking every thumbnailer ever created, I would always choose the later. However, I don't think that's an option for gnome or KDE. Daniel Abrecht signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
On Tue, Jul 18, 2017 at 06:15:20PM +, Daniel Abrecht wrote: > Since thumbnails have to be generated somehow, they need some kind of > generator. To use plugins, which are resembled by executables in this > case, is a perfectly fine approach for this. Uhm, but why? I can understand a thumbnail for an image file: it may be useful to see what's inside without having to open it. But there's a limit to thumbnailing. If it's an .exe, give it an icon that says "EXE" (or a broken four-panelled window image), and that's it. > The real problem is that despite it's well known that thumbnail > generators have a really big attack surface, nothing has been done to > limit the impact of vulnerabilities in thumbnail generators. [...] > My guess on why noone actually does this is because it would break any > existing thumbnailer and programs like imagemagic couldn't be used for > thumbnail generation anymore. Actually, imagemagick is one of worst offenders here. The version in Jessie is at deb8u9, and every security update tends to mention ~20 CVEs. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ A dumb species has no way to open a tuna can. ⢿⡄⠘⠷⠚⠋⠀ A smart species invents a can opener. ⠈⠳⣄ A master species delegates. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
On Tue, Jul 18, 2017 at 10:47:07AM -0700, Rick Moen wrote: > WINE is a fine and useful package (and this bug isn't its fault). My > point is merely that in the _general_ case, it would not be expected to > accompany GNOME. (I'm very much not a GNOME fan.) It's not software that would in any way conflict with GNOME (like, while you can install GNOME and WindowMaker together, very few people would do that). It's kind of like installing gcc and libreoffice on the same machine. > (I wasn't really making an _excuse_ for GNOME, but even saying anything > in favour of it makes me feel vaguely unclean. ;-> My wording was > somewhere on the spectrum between poor word choice and a mild gag that > didn't work well.) Hell no! This was not I was chastising you for. Your gag was not unfunny -- in fact, these days I find not a single good word to say about GNOME, and that excusing it for anything makes one dirty. :) Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ A dumb species has no way to open a tuna can. ⢿⡄⠘⠷⠚⠋⠀ A smart species invents a can opener. ⠈⠳⣄ A master species delegates. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
Since thumbnails have to be generated somehow, they need some kind of generator. To use plugins, which are resembled by executables in this case, is a perfectly fine approach for this. The real problem is that despite it's well known that thumbnail generators have a really big attack surface, nothing has been done to limit the impact of vulnerabilities in thumbnail generators. An easy approach for safe thumbnail generators would be to enforce secomp before the plugin for thumbnail generation is loaded/executed. This would allow to prevent a thumbnail generator to do anything but reading from the file which needs a thumbnail, writing to the thumbnail file/memory, and maybe some memory allocations, which could be further restricted using rlimits. My guess on why noone actually does this is because it would break any existing thumbnailer and programs like imagemagic couldn't be used for thumbnail generation anymore. Daniel Abrecht signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
Quoting Adam Borowski (kilob...@angband.pl): > But _why_ would you say this is an excuse? Wine is an unrelated piece of > software, and it's not a bug in Wine. I agree with your well-stated take on this. I'm merely pointing out that the original statement that GNOME's thumbnailer displays the indicated bug behaviour should be amended: It displays that bug behaviour if the system also has WINE installed. WINE is a fine and useful package (and this bug isn't its fault). My point is merely that in the _general_ case, it would not be expected to accompany GNOME. (I'm very much not a GNOME fan.) (I wasn't really making an _excuse_ for GNOME, but even saying anything in favour of it makes me feel vaguely unclean. ;-> My wording was somewhere on the spectrum between poor word choice and a mild gag that didn't work well.) ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
Quoting Enrico Weigelt, metux IT consult (enrico.weig...@gr13.net): > On 18.07.2017 08:45, Rick Moen wrote: > > >Strictly speaking, I am reasonably sure it doesn't _depend_ on WINE, but > >merely use it if it's present. > > The fact that it silently starts proprietary executables (eg. the > windows scripting host), just because they're there, indeed is a > huge bug, more precisely: a fundamental conceptional error. Clarification: To the best of my understanding, the cscript.exe in question is WINE LGPLed code, not Microsoft code. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
On 18.07.2017 08:45, Rick Moen wrote: Strictly speaking, I am reasonably sure it doesn't _depend_ on WINE, but merely use it if it's present. The fact that it silently starts proprietary executables (eg. the windows scripting host), just because they're there, indeed is a huge bug, more precisely: a fundamental conceptional error. This is something you really wouldn't expect in GNU/Linux world. OTOH, Gnome3 (or Lennartware in general) has the same attitude like Windoze stuff - treat the user/operator as the dumbest being in the world and try to do lots of magical things, but even w/o some careful thoughts. Such things are even worse then the good old autorun.inf misfeature. IMHO, these Lennartists have totally lost control of their actions. They've become even worse than M$. --mtx ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
On Tue, Jul 18, 2017 at 12:39:45AM -0700, Rick Moen wrote: > Quoting Joachim Fahrner (j...@fahrner.name): > > > Another nice bug in Gnome: > > http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html > > I feel almost dirty making excuses for GNOME ;-> , but this bug in > /usr/bin/gnome-exe-thumbnailer appears to be exploitable only if WINE > is installed and findable by that GNOME utility. The thumbnailer > invokes WINE's cscript.exe, which appears to be a Windows Scripting Host > command interpreter -- and thus run VBScript. But _why_ would you say this is an excuse? Wine is an unrelated piece of software, and it's not a bug in Wine. It's nice to have Wine installed, it reduces your need to have a Windows partition/VM[1] to basically zero. It's like saying that Perl is responsible if you feed it a program from an untrusted source. Wine does one task: run programs in PE format for win32/win64 ABI, and does it quite well. [1]. For your own use, that is -- if you want to test programs for others you'll obviously want VMs for multiple versions of Windows, just like you have a Fedora VM and an OpenBSD VM. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ A dumb species has no way to open a tuna can. ⢿⡄⠘⠷⠚⠋⠀ A smart species invents a can opener. ⠈⠳⣄ A master species delegates. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
schrieblings From: j...@fahrner.name > That"s the point. All these things made by Poettering, Gnome Team, Read > Hat ... are rubbish monsters, too complex to make them safe. They put > all things in they can think of. A thumbnailer that depends on wine! > Unbelievable! That"s no good and clean software. Believable, understandable and purely logical. You do as your masters pay you to do. There is no room for ethics, morality, ideals, in a neo-liberal world. Those fools that thought linux alone would bring a revolution in society are the real morons. Unless you are further disillusioned to believe that you can have bubbles of sterile communities within the system of inequality, oppression, and exploitation. You want free and open? Eat shit or do something about it. > Jochen Two thumbs up for agent Poettering and the rest of the "company". There is no room for moralists in the front line.___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
Quoting Joachim Fahrner (j...@fahrner.name): > That's the point. All these things made by Poettering, Gnome Team, > Read Hat ... are rubbish monsters, too complex to make them safe. > They put all things in they can think of. A thumbnailer that depends > on wine! Unbelievable! That's no good and clean software. Strictly speaking, I am reasonably sure it doesn't _depend_ on WINE, but merely use it if it's present. (I reiterate that the parser bug in /usr/bin/gnome-exe-thumbnailer is damning, but note that it seems to be harmless in the general case, and exploitable only on systems that also have WINE installed.) -- Cheers, Rick (not a GNOME fan) Moen r...@linuxmafia.com McQ! (4x80) ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
Am 2017-07-18 09:39, schrieb Rick Moen: OTOH, clearly the parser code in /usr/bin/gnome-exe-thumbnailer is rubbish, as it shouldn't be possible to fool it into processing embedded VBSCript in a filename. That's the point. All these things made by Poettering, Gnome Team, Read Hat ... are rubbish monsters, too complex to make them safe. They put all things in they can think of. A thumbnailer that depends on wine! Unbelievable! That's no good and clean software. Jochen ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] VBScript Injection via GNOME Thumbnailer
Quoting Joachim Fahrner (j...@fahrner.name): > Another nice bug in Gnome: > http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html I feel almost dirty making excuses for GNOME ;-> , but this bug in /usr/bin/gnome-exe-thumbnailer appears to be exploitable only if WINE is installed and findable by that GNOME utility. The thumbnailer invokes WINE's cscript.exe, which appears to be a Windows Scripting Host command interpreter -- and thus run VBScript. OTOH, clearly the parser code in /usr/bin/gnome-exe-thumbnailer is rubbish, as it shouldn't be possible to fool it into processing embedded VBSCript in a filename. -- Cheers, 299792458 meters per second. Not Rick Moenjust a good idea. It's the law. r...@linuxmafia.com McQ! (4x80 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] VBScript Injection via GNOME Thumbnailer
Another nice bug in Gnome: http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html Jochen ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng