Tracker as a security risks



Hi,

I wanted to point out a recent blogpost by IT security export Chris
Evans:
https://scarybeastsecurity.blogspot.dk/2016/11/0day-poc-risky-design-decisions-in.html

The short version: Chrome automatically downloads files without a file
dialog, tracker (part of the GNOME desktop) subsequently automatically
indexes these files with a wide variety of parsers (including
gstreamer, but also others like imagemagick).

While the bugs that evans points out have been fixed (and the gstreamer
team has fixed a whole bunch of other potential security issues I
reported in the past days, thanks!), the whole design of Tracker seems
incredibly risky. It is certainly worthwhile trying to make the
underlying software more secure, but having tried to do that before
I find it unlikely that projects like gstreamer or imagemagick will
ever be in a state where we can feel comfortable feeding them with
untrusted files.

The core problem here is that tracker automatically parses files of
potentially unknown origin with parsers that haven't been built with
security in mind. This happens without any sandboxing.

I think there needs to be a wider discussion about this and the
fundamental design choices done here need to be questioned.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno hboeck de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]