back to article Crazy bug of the week: Gnome Files' .MSI parser runs evil VBScripts

Gnome developers, take a bow: a bug in your image thumbnailer has opened up a (not too scary, thankfully) hole for script injection. The security vulnerability was revealed this week by Nils Dagsson Moskopp here, and his advice for users is: “Delete all files in /usr/share/thumbnailers. Do not use GNOME Files. Uninstall any …

  1. Dan 55 Silver badge

    Over complicating things

    Whenever an icon for a Microsoft Windows executable (EXE), installer (MSI), library (DLL), or shortcut (LNK) should be shown, Gnome Files calls /usr/bin/gnome-exe-thumbnailer to either extract an embedded icon from the file in question or deliver a fallback image for the appropriate filetype.”

    Just deliver the fallback image. Nobody needs to start up WINE once per file in a file browser nor are they really interested in the icon, they just need to see if it's a Windows executable or whatever. Exploits like this happens when people over engineer stuff.

    1. Christian Berger

      Re: Over complicating things

      This is, unfortunately, a typical symptom of the current breed of Desktop developers. The important problems have all been solved decades ago, now they are just trying to solve them more and more complex. The result are feature nobody asked for, which not only harm productivity, but also security.

      Unfortunately this is happenning on virtually all desktop platforms.

      1. stephanh

        Re: Over complicating things

        It seems that Red Hat is nowadays run by a club of "developers" who think security issues cannot happen to them because

        1. they're so very clever

        2. magic open source pixie dust

        3. calling something "Linux" makes it automatically secure.

        It seems they still need to learn the lessons that Microsoft learned the hard way during the Windows XP SP2 timeframe. Seems they are also opting for the hard way.

      2. Anonymous Coward
        Anonymous Coward

        Re: Over complicating things

        @Christian Berger: I think probably all desktop platforms, rather than virtually all. Even the so-called lightweight desktops are dozens of times bloatier than, say, OpenLook was 25 years ago, despite doing basically the same thing.

        1. bazza Silver badge

          Re: Over complicating things

          Ah, the fond memories of OpenLook. About the only thing I didn't like was the way it maximised windows.

    2. Anonymous Coward
      Anonymous Coward

      Re: Over complicating things

      Exploits like this happens when people over engineer stuff.

      Exploits happen when you think that shelling out to an executable and passing it a bunch of arguments on the command line is an acceptable API.

      It isn't.

      1. Orv Silver badge

        Re: Over complicating things

        Isn't that the whole UNIX philosophy? Take a bunch of small programs that all do one thing, string them together in a pipeline, and hope you got all the arguments quoted properly.

        1. Crazy Operations Guy

          @Orv Re: Over complicating things

          If it was following the Unix philosophy they would have just updated /etc/magic with those file types and used 'file' to determine what icon to display. There is no need to re-invent the wheel, especially with this massive pile of shit.

  2. PNGuinn
    Facepalm

    ****CLANG**** /shouty

    Oh Dear - this one seems unworthy of even the systemd dafties

    Time someone renamed Gnome to Troll and kicked it back under its bridge.

  3. nagyeger
    Mushroom

    Fixed it!

    sudo apt-get purge gnome-exe-thumbnailer

    1. stephanh

      Re: Fixed it!

      Why stop there?

      sudo apt-get purge gnome-desktop-environment

      1. Frank Zuiderduin

        Re: Fixed it!

        That's essentially what I did when the GNOME developers showed their contempt for their users for the first time, several years ago.

        I actually thought they coudn't possibly sink any lower at that time. Weird how things can always get worse.

    2. Frumious Bandersnatch

      Re: Fixed it!

      > sudo apt-get --annual purge -- follow-rabbit-hole --redpill gnome-exe-thumbnailer

      FTFY

    3. Ramazan

      Re: sudo apt-get purge gnome-exe-thumbnailer

      if the package is a constant source of CVEs, the problem should be fixed on distro level, like this one for example

      - https://security.gentoo.org/glsa/201402-17:

      "Resolution: Gentoo has discontinued support for Xpdf. We recommend that users unmerge Xpdf"

  4. Anonymous Coward
    Anonymous Coward

    Unexpected item in bagging area

    Always sanity check your inputs.

  5. Paul Crawford Silver badge

    Why am I not surprised? The Gnome developers seem to be hell-bent on breaking stuff and generally re-implementing things badly that were already solved problems. Instead of them wasting time removing features/functionality to dumb things down, perhaps they should spend more time on bug-fixing, reviewing security, and not doing dumb stuff like this example.

  6. BinkyTheMagicPaperclip Silver badge

    Please tell me it doesn't have a dependency on WINE

    It's bad enough that it does this, but I dearly hope it doesn't pull in WINE as a dependency.

    Wonder what it does on OpenBSD, which does support GNOME, but won't run WINE. Surely there must be some fallback path.

    1. thames
      Linux

      Re: Please tell me it doesn't have a dependency on WINE

      It's not an integral part of Gnome. It's part of the WINE package that WINE installs into Gnome to give you Windows compatible icons. From what I can see, if you don't ever install WINE, you shouldn't have it.

      Also, a quick Google of the name also mentions it with respect to XFCE and Mint. It's quite possible that it is not limited to Gnome. There may also be other equivalent versions for other desktops which you may have if you ever installed WINE.

      Kudos to the WINE people for their successful emulation of yet another Windows "feature".

    2. Anonymous Coward
      Anonymous Coward

      Re: Please tell me it doesn't have a dependency on WINE

      I have a dependancy on beer

      1. bazza Silver badge
        Pint

        Re: Please tell me it doesn't have a dependency on WINE

        Here's a NMI (non-maskable interrupt) - see icon

        1. Measurer

          Re: Please tell me it doesn't have a dependency on WINE

          Wonder how many Gnome developers know what that is...

    3. Ramazan

      Re: Please tell me it doesn't have a dependency on WINE

      on Devuan Linux there are basically 3 sorts of dependencies: Depends, Recommends and Suggests. Most probably gnome thumbnailer "Suggests" wine so wine won't even be installed by default.

  7. Robert Helpmann??
    Childcatcher

    Just the tip

    ...if you can create arbitrary files, you can have all sorts of fun with a Linux environment (even if only in the current user's context).

    The first and most obvious thing to do with this is try to gain root and have some real fun.

    Arbitrary files equals arbitrary commands leads to eventual pwnage.

    1. Ramazan

      Re: try to gain root

      on a properly configured grsec system gaining root won't give you much.

      1. Adam 52 Silver badge

        Re: try to gain root

        Is that the same grsec described as "pure garbage" by one L. Torvalds?

  8. sisk

    fully recognise inputs before processing them

    Programming concepts and best practices don't get any more basic than that. Seriously, first a hard dependency on a questionable init system and now this? WTF Gnome team?

    1. Orv Silver badge

      I'm not clear if the fault here lies with the GNOME team, or if this is something the WINE team came up with as an integration plug-in.

  9. John Smith 19 Gold badge
    FAIL

    "fully recognise inputs before processing them"

    Yes you'd think that's in the "do not stick your fingers in an electric socket as it may harm you" grade of stupid warnings that don't need to be issued.

    Except apparently it's not.

    Or for the slightly more professional.

    If you don't understand a language spec fully you should not try constructing a parser for that language, because you will probably f**k it up.

  10. JeffyPoooh
    Pint

    Executing filenames?

    A year or two ago, I wrote a comedy comment about gadgets Seeing Code, Running Code.

    E.g. Malicious software being spray painted onto the sidewalk, and passing smartphones immediately seeing it in their field of view, capturing it, OCR'ing it, compiling it, and of course executing it.

    "CODE! MUST. RUN. CODE. Look Code !! GRAB CODE, RUN CODE."

    I was just kidding. Please stop.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like