back to article Crazy bug of the week: Gnome Files' .MSI parser runs evil VBScripts

Gnome developers, take a bow: a bug in your image thumbnailer has opened up a (not too scary, thankfully) hole for script injection. The security vulnerability was revealed this week by Nils Dagsson Moskopp here, and his advice for users is: “Delete all files in /usr/share/thumbnailers. Do not use GNOME Files. Uninstall any …

Silver badge

Over complicating things

Whenever an icon for a Microsoft Windows executable (EXE), installer (MSI), library (DLL), or shortcut (LNK) should be shown, Gnome Files calls /usr/bin/gnome-exe-thumbnailer to either extract an embedded icon from the file in question or deliver a fallback image for the appropriate filetype.”

Just deliver the fallback image. Nobody needs to start up WINE once per file in a file browser nor are they really interested in the icon, they just need to see if it's a Windows executable or whatever. Exploits like this happens when people over engineer stuff.

27
0
Silver badge

Re: Over complicating things

This is, unfortunately, a typical symptom of the current breed of Desktop developers. The important problems have all been solved decades ago, now they are just trying to solve them more and more complex. The result are feature nobody asked for, which not only harm productivity, but also security.

Unfortunately this is happenning on virtually all desktop platforms.

38
0
Bronze badge

Re: Over complicating things

It seems that Red Hat is nowadays run by a club of "developers" who think security issues cannot happen to them because

1. they're so very clever

2. magic open source pixie dust

3. calling something "Linux" makes it automatically secure.

It seems they still need to learn the lessons that Microsoft learned the hard way during the Windows XP SP2 timeframe. Seems they are also opting for the hard way.

25
2
Anonymous Coward

Re: Over complicating things

@Christian Berger: I think probably all desktop platforms, rather than virtually all. Even the so-called lightweight desktops are dozens of times bloatier than, say, OpenLook was 25 years ago, despite doing basically the same thing.

8
0
Silver badge

Re: Over complicating things

Ah, the fond memories of OpenLook. About the only thing I didn't like was the way it maximised windows.

1
0
Anonymous Coward

Re: Over complicating things

Exploits like this happens when people over engineer stuff.

Exploits happen when you think that shelling out to an executable and passing it a bunch of arguments on the command line is an acceptable API.

It isn't.

0
0
Orv
Silver badge

Re: Over complicating things

Isn't that the whole UNIX philosophy? Take a bunch of small programs that all do one thing, string them together in a pipeline, and hope you got all the arguments quoted properly.

0
0
Silver badge

@Orv Re: Over complicating things

If it was following the Unix philosophy they would have just updated /etc/magic with those file types and used 'file' to determine what icon to display. There is no need to re-invent the wheel, especially with this massive pile of shit.

0
0
Silver badge
Facepalm

****CLANG**** /shouty

Oh Dear - this one seems unworthy of even the systemd dafties

Time someone renamed Gnome to Troll and kicked it back under its bridge.

20
1
Mushroom

Fixed it!

sudo apt-get purge gnome-exe-thumbnailer

11
0
Bronze badge

Re: Fixed it!

Why stop there?

sudo apt-get purge gnome-desktop-environment

19
0

Re: Fixed it!

That's essentially what I did when the GNOME developers showed their contempt for their users for the first time, several years ago.

I actually thought they coudn't possibly sink any lower at that time. Weird how things can always get worse.

6
0
Silver badge

Re: Fixed it!

> sudo apt-get --annual purge -- follow-rabbit-hole --redpill gnome-exe-thumbnailer

FTFY

0
0
Bronze badge

Re: sudo apt-get purge gnome-exe-thumbnailer

if the package is a constant source of CVEs, the problem should be fixed on distro level, like this one for example

- https://security.gentoo.org/glsa/201402-17:

"Resolution: Gentoo has discontinued support for Xpdf. We recommend that users unmerge Xpdf"

3
0
Anonymous Coward

Unexpected item in bagging area

Always sanity check your inputs.

12
0
Silver badge

Why am I not surprised? The Gnome developers seem to be hell-bent on breaking stuff and generally re-implementing things badly that were already solved problems. Instead of them wasting time removing features/functionality to dumb things down, perhaps they should spend more time on bug-fixing, reviewing security, and not doing dumb stuff like this example.

21
0
Bronze badge

Please tell me it doesn't have a dependency on WINE

It's bad enough that it does this, but I dearly hope it doesn't pull in WINE as a dependency.

Wonder what it does on OpenBSD, which does support GNOME, but won't run WINE. Surely there must be some fallback path.

6
0
Silver badge
Linux

Re: Please tell me it doesn't have a dependency on WINE

It's not an integral part of Gnome. It's part of the WINE package that WINE installs into Gnome to give you Windows compatible icons. From what I can see, if you don't ever install WINE, you shouldn't have it.

Also, a quick Google of the name also mentions it with respect to XFCE and Mint. It's quite possible that it is not limited to Gnome. There may also be other equivalent versions for other desktops which you may have if you ever installed WINE.

Kudos to the WINE people for their successful emulation of yet another Windows "feature".

17
0
Anonymous Coward

Re: Please tell me it doesn't have a dependency on WINE

I have a dependancy on beer

10
0
Silver badge
Pint

Re: Please tell me it doesn't have a dependency on WINE

Here's a NMI (non-maskable interrupt) - see icon

5
0
Bronze badge

Re: Please tell me it doesn't have a dependency on WINE

on Devuan Linux there are basically 3 sorts of dependencies: Depends, Recommends and Suggests. Most probably gnome thumbnailer "Suggests" wine so wine won't even be installed by default.

1
0

Re: Please tell me it doesn't have a dependency on WINE

Wonder how many Gnome developers know what that is...

0
0
Silver badge
Childcatcher

Just the tip

...if you can create arbitrary files, you can have all sorts of fun with a Linux environment (even if only in the current user's context).

The first and most obvious thing to do with this is try to gain root and have some real fun.

Arbitrary files equals arbitrary commands leads to eventual pwnage.

5
0
Bronze badge

Re: try to gain root

on a properly configured grsec system gaining root won't give you much.

0
0
Silver badge

Re: try to gain root

Is that the same grsec described as "pure garbage" by one L. Torvalds?

0
0
Silver badge

fully recognise inputs before processing them

Programming concepts and best practices don't get any more basic than that. Seriously, first a hard dependency on a questionable init system and now this? WTF Gnome team?

13
1
Orv
Silver badge

I'm not clear if the fault here lies with the GNOME team, or if this is something the WINE team came up with as an integration plug-in.

1
0
Gold badge
FAIL

"fully recognise inputs before processing them"

Yes you'd think that's in the "do not stick your fingers in an electric socket as it may harm you" grade of stupid warnings that don't need to be issued.

Except apparently it's not.

Or for the slightly more professional.

If you don't understand a language spec fully you should not try constructing a parser for that language, because you will probably f**k it up.

5
0
Silver badge
Pint

Executing filenames?

A year or two ago, I wrote a comedy comment about gadgets Seeing Code, Running Code.

E.g. Malicious software being spray painted onto the sidewalk, and passing smartphones immediately seeing it in their field of view, capturing it, OCR'ing it, compiling it, and of course executing it.

"CODE! MUST. RUN. CODE. Look Code !! GRAB CODE, RUN CODE."

I was just kidding. Please stop.

2
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017