oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 10+ CVEs in GStreamer

From: Demi Marie Obenour <demiobenour () gmail com>
Date: Fri, 1 May 2026 10:36:09 -0400
On 4/30/26 19:59, Solar Designer wrote:

Hi,

The GStreamer library is used to parse multimedia files in Nautilus
(GNOME Files), GNOME Videos, and Rhythmbox, as well as in the
localsearch search engine (previously known as tracker-miners) developed
by the GNOME project. This engine is installed in many distributions as
a dependency of the tracker-extract package, which GNOME uses to
automatically parse metadata in new files. Among other things, this
service indexes all files in the user's home directory without any user
interaction. Therefore, to perform an attack, simply create a specially
crafted multimedia file in the user's home directory, and the
vulnerability will be exploited during its automatic indexing.

In most GNOME distributions, localsearch components (tracker-miners) are
enabled by default and loaded as a hard dependency of the Nautilus file
manager (GNOME Files). Starting with GNOME 46, the localsearch process
runs in sandbox isolation. To disable metadata extraction, you can
delete the rules files from the /usr/share/localsearch3/extract-rules/
or /usr/share/tracker3-miners/extract-rules/ directory.


I don't know how good or not the mentioned "sandbox isolation" is, I'd
welcome comments on the risks involved and potential further hardening.

Alexander


Last I checked, the sandbox was not very good.  In particular, there
were seccomp rules that were thread-scoped rather than process-scoped,
allowing for sandbox escape.  It might have improved, though.

My current opinion is that it is possible to create a truly strong
sandbox on Linux that is nearly as good as hardware virtualization.
However, doing so requires severely limiting the number of system
calls available.  The attack surface is then mostly limited to memory
management, which KVM also has to some degree.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: