GNU bug report logs

#32515 Ghostscript and GNOME thumbnailing code execution vulnerabilities

guix PTS Buildd Popcon
Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to
bug#32515; Package guix. (Thu, 23 Aug 2018 21:03:02 GMT) (full text, mbox, link).

Acknowledgement sent to Leo Famulari <>:
New bug report received and forwarded. Copy sent to (Thu, 23 Aug 2018 21:03:02 GMT) (full text, mbox, link).

Message #5 received at (full text, mbox, reply):

From: Leo Famulari <>
Subject: GNOME thumbnailing code execution vulnerabilities
Date: Thu, 23 Aug 2018 17:01:51 -0400
[Message part 1 (text/plain, inline)]
In some configurations of the GNOME and KDE desktops (and maybe others),
there is a remote code execution vulnerability via the Nautilus
thumbnailing system, via Evince and Ghostscript:

"My colleague Jann Horn pointed out evince (which uses libgs, which is
affected with some tweaks to the PoC) is used to generate previews in
Nautilus, which means previews can trigger code execution (see
/usr/share/thumbnailers/evince.thumbnailer). I think it's possible to
trigger that via file automatic download in a browser just by visiting a
URL, but I haven't tested it." [0]

Our Evince package is configured with '--disable-nautilus' [1]. Does
this avoid the problem for us?

I'm not using a graphical GuixSD system so I can't test this easily. Can
someone who is using GNOME on GuixSD poke around and let us know what
they find?

Desktop thumbnailing is a convenient feature, so it would be good if it
worked safely. Apparently GNOME is able to run the thumbnailer in a
container [2]; we should try to make sure that works.



[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from (Ludovic Courtès) to (Wed, 29 Aug 2018 20:34:02 GMT) (full text, mbox, link).

Changed bug title to '"Ghostscript and GNOME thumbnailing code execution vulnerabilities"' from 'GNOME thumbnailing code execution vulnerabilities' Request was from Leo Famulari <> to (Mon, 25 Feb 2019 23:38:01 GMT) (full text, mbox, link).

Information forwarded to
bug#32515; Package guix. (Mon, 25 Feb 2019 23:40:02 GMT) (full text, mbox, link).

Message #12 received at (full text, mbox, reply):

From: Leo Famulari <>
Subject: Re: GNOME thumbnailing code execution vulnerabilities
Date: Mon, 25 Feb 2019 18:39:06 -0500
[Message part 1 (text/plain, inline)]
Since this bug was filed, Ghostscript has received more scrutiny and
serious bugs continue to be found.

The recommendation of the researchers seems to be to disable and remove
Ghostscript unless a Postcript interpreter is actually necessary.

Barring that, we should keep our package up to date and try to make sure
the GNOME thumbnailer and other "hidden" users of Ghostscript are run in

Is anyone willing to look into the GNOME thumbnailer?
[signature.asc (application/pgp-signature, inline)]

Changed bug title to 'Ghostscript and GNOME thumbnailing code execution vulnerabilities' from '"Ghostscript and GNOME thumbnailing code execution vulnerabilities"' Request was from Leo Famulari <> to (Mon, 25 Feb 2019 23:40:02 GMT) (full text, mbox, link).

Reply sent to Maxime Devos <>:
You have taken responsibility. (Fri, 09 Apr 2021 13:52:01 GMT) (full text, mbox, link).

Notification sent to Leo Famulari <>:
bug acknowledged by developer. (Fri, 09 Apr 2021 13:52:01 GMT) (full text, mbox, link).

Message #19 received at (full text, mbox, reply):

From: Maxime Devos <>
Subject: Re: GNOME thumbnailing code execution vulnerabilities.
Date: Fri, 09 Apr 2021 15:51:21 +0200
[Message part 1 (text/plain, inline)]
Leo Famulari (26 Feb 2019) wrote:
> Since this bug was filed, Ghostscript has received more scrutiny and
> serious bugs continue to be found.

I assume you meant ‘fixed’.

> [...]
> Barring that, we should keep our package up to date

ghostscript can be updated to 9.54 (
This will require grafts due to many depending packages.
However, looking at
it seems there are no known security vulnerabilities.

evince can be updated from 3.36.5 to 40.0 according to "guix refresh",
that would be done in  think.

> and try to make sure
> the GNOME thumbnailer and other "hidden" users of Ghostscript are run in
> containers.

The thumbnailer is run in a container, using bubblewrap and seccomp:

$ guix graph --type=references gnome-desktop
> [snip]
> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color = darkseagreen];
> "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color = darkseagreen];
> [snip]

$ EDITOR=less guix edit gnome-desktop
> [snip]
> ("bubblewrap" ,bubblewrap)
> [snip]

$ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c:
> [snip]
> [an add_bwrap function with bind mounts and --unshare-all]
> [a setup_seccomp function]
> [snip]


[signature.asc (application/pgp-signature, inline)]

Information forwarded to
bug#32515; Package guix. (Fri, 09 Apr 2021 18:49:01 GMT) (full text, mbox, link).

Message #22 received at (full text, mbox, reply):

From: Leo Famulari <>
Subject: Re: bug#32515: GNOME thumbnailing code execution vulnerabilities.
Date: Fri, 9 Apr 2021 14:48:15 -0400
[Message part 1 (text/plain, inline)]
On Fri, Apr 09, 2021 at 03:51:21PM +0200, Maxime Devos wrote:
> Leo Famulari (26 Feb 2019) wrote:
> > Since this bug was filed, Ghostscript has received more scrutiny and
> > serious bugs continue to be found.
> I assume you meant ‘fixed’.

I did not mean 'fixed'. As far as I know, no work was done in Guix about
this bug.

'filed' is definitely the correct interpretation; security researchers
ignored postscript / Ghostcript for a very long time, but it became a
popular area of research a few years ago.

Basically, Ghostscript is a decades-old C codebase implementing an even
older language specification. Caveat emptor.

Unlike some other similar codebases, like OpenSSL, the situation
regarding security researchers and vulnerability disclosure has not
really improved, as far as I can tell :/

> The thumbnailer is run in a container, using bubblewrap and seccomp:
> $ guix graph --type=references gnome-desktop
> > [snip]
> > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/jsw78nn91z34z2cm227zwjhpybx2p2lw-bubblewrap-0.4.1" [color = darkseagreen];
> > "/gnu/store/82lh0zkg0jc64j7k9liz75yrzn3aqzp7-gnome-desktop-3.34.2" -> "/gnu/store/w668dl13dac6gpxvyhic21dnifrrijp6-libseccomp-2.5.1" [color = darkseagreen];
> > [snip]
> $ EDITOR=less guix edit gnome-desktop
> > [snip]
> > ("bubblewrap" ,bubblewrap)
> > [snip]
> $ cat ./libgnome-desktop/gnome-desktop-thumbnail-script.c:
> > [snip]
> > [an add_bwrap function with bind mounts and --unshare-all]
> > [a setup_seccomp function]
> > [snip]
> Closing.

Great, looks like upstream took care of it for us. There will probably
be more bugs in this area, but that's expected.
[signature.asc (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <> to (Sat, 08 May 2021 11:24:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam. maintainers <>. Last modified: Tue Mar 11 11:20:43 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.