Sandbox the tracker extractor
Bug #1648921 reported by
Jeremy Bícha
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Tracker |
Fix Released
|
High
|
|||
tracker (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Won't Fix
|
High
|
Unassigned | ||
Yakkety |
Won't Fix
|
High
|
Unassigned |
Bug Description
* SECURITY UPDATE: extractor now runs in a sandbox confined by libseccomp
- extractor's filesystem and network access is limited to being read and
local only (LP: #1648921)
- No CVE number
The tracker developers have recently confined their extractor to attempt to make tracker more resilient to attacks, especially involving flaws in gstreamer parsers.
There is no CVE number assigned to this issue.
https:/
https:/
The gstreamer security fixes are being handled separately. See bug 1619600
Changed in tracker: | |
importance: | Unknown → High |
status: | Unknown → Fix Released |
description: | updated |
description: | updated |
information type: | Public → Public Security |
description: | updated |
tags: | added: xenial yakkety zesty |
Changed in tracker (Ubuntu): | |
status: | New → Fix Released |
Changed in tracker (Ubuntu Yakkety): | |
status: | New → In Progress |
Changed in tracker (Ubuntu): | |
importance: | Undecided → High |
Changed in tracker (Ubuntu Yakkety): | |
importance: | Undecided → High |
Changed in tracker (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in tracker (Ubuntu Yakkety): | |
status: | Fix Committed → Won't Fix |
To post a comment you must log in.
tracker was not included by default in any Ubuntu 12.04 flavor and libseccomp is only available in backports there.
I don't intend to try to backport this change for Ubuntu 14.04 either. Ubuntu GNOME 14.04 has only a few months of support left. I don't feel it's worth the work to try to make these changes there.