• 1
Updated policy and the blog to add tumblerd support

Thanks for that, that is a needed feature but I think GNOME auto mounter must not mount devices if the session is locked. It should add a notification that the user could see when he unlocks the screensaver

But confining those applications is good because the attack could be done from a trusted device using a file someone sent to the user

Updated again.

There are a few more thumbnailers in the repository. I don't know much about programming, so I'm not sure if they are vulnerable. Here are the packages (all in Fedora repos):

raw-thumbnailer - Thumbnailer for RAW images
gnome-exe-thumbnailer - Thumbnailer for Windows exe files
gnome-nds-thumbnailer - Thumbnailer for Nintendo DS ROMS
gnome-xcf-thumbnailer - Thumbnailer for GIMP xcf files

Thank you for all your work in making Fedora more secure!

(Deleted comment)
Yes, Although I am not sure all of the updates have made it to release yet.

Here is what I have

ls -lZ /usr/bin/*thumb*
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/evince-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/ffmpegthumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/gnome-exe-thumbnailer.sh
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/gnome-nds-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/gnome-xcf-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/gsf-office-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/raw-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/shotwell-video-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/totem-video-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/whaaw-thumbnailer

rpm -q selinux-policy
selinux-policy-3.10.0-99.fc17.noarch

  • 1
?

Log in