apparmor profile needs review/improvement

Bug #1330430 reported by Klaus Bielke
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
evince (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Apparmor rules for evince forbid opening a PDF from an external drive mounted under /media/… unless its filename ends in '.pdf'.
Same file will be opened if it is copied to /home/… or renamed to a filename tailing in '.pdf' on the external drive.
See bugs #1096837 and #1327161.

On a GNU/Linux system like Ubuntu these rules are useless because filetype is not determined by an extension. Checking the filename adds no security. It smells like snakeoil to me.

Please review the apparmor profile. On an GNU/Linux system opening a PDF should not denied on filename.

This bug affects Ubuntu versions 14.04 LTS, 12.04 LTS and 10.04 LTS.

Tags: apparmor

Related branches

Klaus Bielke (k-bielke)
description: updated
information type: Private Security → Public
description: updated
tags: added: apparmor
Changed in evince (Ubuntu):
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in evince (Ubuntu):
status: New → Confirmed
Revision history for this message
Sergio Gelato (sergio-gelato) wrote :

Other suffixes are affected besides .pdf. I've just spotted some incidents in my logs involving denied read attempts on .epsi, .ps2 and suffixless application/postscript files. Since .epsi is listed as valid in /etc/mime.types I've now added the following to /etc/apparmor.d/local/usr.bin.evince and verified that it allowed .epsi files to be opened:

  /**.[eE][pP][sS][fFiI23] rw,

However, one could argue that file types can and should be detected based on the file's content, not on its name.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 3.10.3-0ubuntu15

---------------
evince (3.10.3-0ubuntu15) utopic; urgency=medium

  * debian/apparmor-profile:
    - allow site-wide dconf. Thanks to Lars Masden. (LP: #1355804)
    - allow read/write to files we own in /media (LP: #1096837)
    - allow read/write to files we own in /run/user/1000/at-spi2-*
      (LP: #1308488)
    - allow 'l' to /run/user/*/gvfs-metadata/** (LP: #1344810)
    - allow read/write of @{HOME}/.cache/dconf/user (LP: #1024605)
  * debian/apparmor-profile.abstraction:
    - allow read of /etc/xdg/lubuntu/applications/defaults.list (LP: #1290157,
      LP: #1299239)
    - allow read of /**.[eE][pP][sS][fFiI23] (LP: #1330430)
 -- Jamie Strandboge <email address hidden> Tue, 12 Aug 2014 14:30:43 -0500

Changed in evince (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.