Skip to content

sandbox thumbnailers

Submitted by Yves-Alexis Perez

Assigned to Ali Abdallah @ali

Link to original bug (#14626)

Description

I wrongly though I had already opened a bug against tumbler about this, but I can't find it so I guess I'm wrong.

It would be nice to execute the thumbnailers through a sandbox, because thumbnailers by nature parse complex formats from file with sometime spurious origin. There have been multiple vulnerabilities in video, image or PDF parsers which could lead to code execution. Latest one is a series in ghostscript (see thread at http://openwall.com/lists/oss-security/2018/08/21/2 for example).

While tumbler or its dependencies might not be vulnerable to specific vulnerabilities, it's quite possible that it will be to some other in the future. Thumbnailing is enabled even for files on removable storage or downloaded from the internet. Hardening the thumbnailers and tumblerd itself so it runs sandboxed would be nice. On Linux seccomp can help, shipping some AppArmor/SELinux rules might help too, and maybe projects like bublewrap would be interesting as well.