Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ubuntu and CentOS Are Undoing a GNOME Security Feature (bleepingcomputer.com)

Posted by msmash on from the what's-happening dept.

An anonymous reader writes: Current versions of Ubuntu and CentOS are disabling a security feature that was added to the GNOME desktop environment last year. The feature's name is Bubblewrap, which is a sandbox environment that the GNOME Project added to secure GNOME's thumbnail parsers in July 2017, with the release of GNOME 3.26. In recent years, security researchers have proven that thumbnail parses can be an attack vector [1, 2, 3].

Ubuntu Security Tech Lead Alex Murray said the Ubuntu team chose to disable Bubblewrap inside Ubuntu because they did not have the time to perform a security audit. Murray blamed the many CPU bugs (Spectre, Meltdown, etc.), which kept the team busy and prevented them to audit the feature.

66 comments

  1. Good by Aighearach · · Score: 4, Insightful

    The last thing we need is additional layers of minimally-tested software promising to protect people.

    1. Re:Good by vux984 · · Score: 1

      I mean, its really GOOD that ubuntu wants to test it themselves. But I'm not sure why disabling it until you can test it is more sensible than leaving it enabled until you can test it.

      Given we *know* that its vulnerable without it.

    2. Re:Good by Aighearach · · Score: 2

      Because the sandbox can screw up and eat your cat at any time.

      The vulnerability it protects against happens when you're rebuilding an installer package locally. Building the installer can cause it to run naughty javascript that might be hidden in the code related to icons. Most users would never ever run this. Very few users are rebuilding packages that they're not involved in maintaining.

      But if the new sandbox has security bugs, they could hit regular users who never even tried to rebuild a package.

    3. Re:Good by Anonymous Coward · · Score: 0

      No, the problem it protects against in creating thumb nails of pictures and videos using gstreamer. A specially crafted media file can break gstreamer and start executing code. It's this executing code that needs to be sandboxed.

    4. Re:Good by Anonymous Coward · · Score: 0

      You mean like Windows 10?

    5. Re:Good by cyn1c77 · · Score: 1

      The last thing we need is additional layers of minimally-tested software promising to protect people.

      I don't understand why you would think that?

      It works so well for the TSA!

  2. Blame the hardware! by Tehrasha · · Score: 1

    Lets blame CPU hardware bugs, which we cannot do anything about, for our inability to secure our own software.

    1. Re:Blame the hardware! by Aighearach · · Score: 2

      You seem a little confused about the impact here. They're removing it because having it there makes things less secure, while promising security. That is dangerous.

      You seem a bit confused about the dangers.

    2. Re:Blame the hardware! by Tehrasha · · Score: 0

      No, they removed it because they didnt take the time to test its security, and blamed it on the time spent dealing with a hardware insecurity issue.

    3. Re:Blame the hardware! by thegarbz · · Score: 2

      Lets blame CPU hardware bugs, which we cannot do anything about, for our inability to secure our own software.

      You do realise it's about securing other people's software right?

    4. Re:Blame the hardware! by Aighearach · · Score: 1

      Did you consider the question, "Why would they need to test its security?" Does not testing security, when you know you need to do it, create a security risk?

      How can you point at "because they didn't take the time to test its security" and not also arrive at, "If they don't have time to test the security, then including it would be a risk?"

      You just from them not having time, to their excuse about why they didn't have time, without considering the actual effect of not having enough time. It doesn't matter why they didn't have time, that has nothing at all to do with the implications of not having enough time.

    5. Re:Blame the hardware! by Anonymous Coward · · Score: 0

      It's not like the Ubuntu/CentOS teams wrote this software and knew it was buggy. It is part of GNOME. Surely Ubuntu doesn't audit the entirely GNOME desktop?

    6. Re: Blame the hardware! by Midnight+Thunder · · Score: 1

      It is probably along the lines of a badly tested bug fix, where any bug fix can introduce unknown side effects, especially if it is a large one?

      Since everything about fixing issues is down to a risk analysis, it could be argued that in the current state we know the risks, while the new security architecture introduces unknowns. Those unknowns could be worse than the previous state.

      This approach is also a way of pushing back the onus of proving it secure to the Gnome developers.

      --
      Jumpstart the tartan drive.
  3. Who runs Gnome anyway? by Anonymous Coward · · Score: 0

    Both Gnome and KDE is bloated beyond repair... Odd thing is that with bloat usually come flexibility. With Gnome and KDE it is the other way around, they bloat like a dead badger on the highway but every release makes it harder and harder to get them to work like you want them. Thank god for OpenBox!

    1. Re:Who runs Gnome anyway? by renegadesx · · Score: 2

      I have always found KDE very flexible.

      --
      Make SELinux enforcing again!
  4. Doesn't seem very controversial by Xylantiel · · Score: 4, Insightful

    So a new security feature isn't getting wider distribution (yet) because there weren't enough resources to get it ready. This just doesn't seem very controversial.

    1. Re:Doesn't seem very controversial by Aighearach · · Score: 4, Interesting

      We won't know if it is really a security feature unless somebody audits the code.

      Code that is not a security feature, but thinks it is, is even more dangerous than an unpatched bug.

      It doesn't seem controversial because you didn't understand it yet. Keep trying. When you understand the controversy, that's when you'll have started understanding the controversy.

    2. Re:Doesn't seem very controversial by dcollins117 · · Score: 1

      This just doesn't seem very controversial.

      That's the point. If you have secrets, don't put them on a computer.

    3. Re:Doesn't seem very controversial by Anonymous Coward · · Score: 3, Insightful

      When you understand the controversy, that's when you'll have started understanding the controversy.

      The first rule of tautology club is the first rule of tautology club.

    4. Re:Doesn't seem very controversial by Anonymous Coward · · Score: 0

      The second rule of tautology club... ... ... ...
      is the second rule of tautology club!

    5. Re:Doesn't seem very controversial by Anonymous Coward · · Score: 0

      Cant fix their attack vector

  5. The feature isn't called bubblewrap by Anonymous Coward · · Score: 2, Informative

    This doesn't have really much to do with bubblewrap on its own. What this has to do with is GNOME running thumbnail generating software within bubblewrap. However there are issues with this, if a user is already running some gnome software inside of a container or something already using bubblewrap, you can't run multiple levels of it.

    The real question that needs to be asked though, who the hell is still using GNOME?

    1. Re:The feature isn't called bubblewrap by zwarte+piet · · Score: 1

      Em, the Cinnamon developers of course.

    2. Re:The feature isn't called bubblewrap by fph+il+quozientatore · · Score: 1

      Well, it's not like it's the default desktop environment in the most popular Linux distribution, right?

      --
      My first program:

      Hell Segmentation fault

    3. Re:The feature isn't called bubblewrap by Anonymous Coward · · Score: 0

      You mean the GUI that is running on all of those Ubuntu systems that someone logged into once when they were setting up the VM and never bothered to log out off?

    4. Re:The feature isn't called bubblewrap by Anonymous Coward · · Score: 1

      MATE != GNOME.

    5. Re:The feature isn't called bubblewrap by sconeu · · Score: 1

      Ubuntu Bionic (18.04). They dropped Unity and went back to GNOME.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    6. Re:The feature isn't called bubblewrap by KiloByte · · Score: 2

      Which is an outright sabotage: with Windows getting weak, we could pull in a good part of Windows users had we defaulted to an usable desktop. No experienced user uses GNOME -- including even GNOME devs (they develop it from OS X) -- so the non-technical user suffers from software that's not even dogfooded.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    7. Re:The feature isn't called bubblewrap by Anonymous Coward · · Score: 0

      including even GNOME devs (they develop it from OS X)
      WHAT THE FUCK?

      Seriously? Do you have a citation on that? Or more details I could read? Because that is the most damming indictment ever and I would be amused to read more about it.

    8. Re:The feature isn't called bubblewrap by Anonymous Coward · · Score: 0

      But they forked it along with the last working versions of some useful packages, as the Gnomes have been doing their 2-ft high evil to much of the codebase. Now the Gnomes want to thumbnail inside a sandbox (sounds like a plot for a very twisted pron flick). Cinnamon may have its basis in Gnome, but has evolved much further - along with MATE, the other cousin in the family which even has wobbly windows. Two desktops that began in the Gnome Garden, but escaped, got clean, repented of their evil ways and are today among the top choices. KDE is bloatware - I like the description "bloat like a dead badger on the highway" in another post here. Many of the 'light' desktops lack enough power / features to be useful.

    9. Re:The feature isn't called bubblewrap by Anonymous Coward · · Score: 0

      That was a fun jab at Gnome devs a few years ago.

      Personally I suspect them of mainly developing on recent laptops with Intel CPU/GPU, hence onerous requirements. Naturally such hip devs will have a maxed out RAM and an SSD on their laptop - they ought to anyway.
      Good probability to have a fucking Apple laptop (maxed out to 16GB RAM). I guess they're North American and Northern European software devs so that's pocket change for them.
      What's more they can always ssh into a 128GB or better machine on the Internet or network.
      So they don't understand their users are deplorables with 2GB RAM, older 5400 rpm HDD, and such.

    10. Re:The feature isn't called bubblewrap by KiloByte · · Score: 1

      Can't seem to find a good reference (it's late and I got work to do), but I recall an article that claimed more than a half of core devs either run OS X exclusively with at most VMs, or at least dual-boot with OS X as primary.

      But, so my words are not completely unbacked, here's the creator of GNOME.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    11. Re:The feature isn't called bubblewrap by blackpaw · · Score: 1

      You can still install Unity on bionic, it isn't terrible. For me, one of the very few desktops that has a usable vertical tool bar for dual widescreen monitors.

    12. Re: The feature isn't called bubblewrap by Anonymous Coward · · Score: 0

      yes, totally ivory tower devs with assumed fast always on connectivity

    13. Re:The feature isn't called bubblewrap by Anonymous Coward · · Score: 0

      gnome-flashback is pretty damn good (MATE is alright too; if more buggy and bloated)

      XFCE and many other desktops and apps make use of the GNOME libraries.

    14. Re: The feature isn't called bubblewrap by houghi · · Score: 1

      I use GNOME to show friends when takking about Linux. That way they stay with Windows and do not bother me when these mere mortals need troubleshooting.

      --
      Don't fight for your country, if your country does not fight for you.
    15. Re:The feature isn't called bubblewrap by Anonymous Coward · · Score: 0

      I seriously doubt a single GNOME developer from the main team is using OSX as its platform.

      Miguel de Icaza may have started the project 20 years ago, but he's not involved with the project anymore. In fact he's not a Linux user anymore. Last time I read something about him, he was joining Microsoft.

    16. Re:The feature isn't called bubblewrap by Anonymous Coward · · Score: 1

      we could pull in a good part of Windows users

      Will someone rid me of this meddlesome delusion? Seriously, it's just inane to believe this. The reason Linux desktop will never push out WIndows is that most of the useful shit in the world simply has no Linux counterpart and there's no "good part of Windows users" who want to run VMs all the time.

  6. Why sandbox it? by ArchieBunker · · Score: 1

    How about a thorough audit of the code? Nah slap a band aid on some shitty code with more shitty code.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
    1. Re:Why sandbox it? by Aighearach · · Score: 2

      It seems obvious, but if there isn't enough available hours to audit the sandbox, there is even less available to individually audit all the code that would run inside the sandbox.

      And most of that code has been in the wild for a long time and is pretty stable. (Stable means unchanging in software) So it is less likely to be dangerous than newer code, that hasn't been in the wild for long, and isn't yet stable.

    2. Re:Why sandbox it? by Anonymous Coward · · Score: 0

      Because modern computers have more resources so we need to make sure we use as many resources as possible. Secure code doesn't use as many resources as a virtual environment, therefore it isn't as good.

    3. Re:Why sandbox it? by Anonymous Coward · · Score: 0

      It is gnome code, getting it to pass an audit is most likely impossible. The Gnome communtiy even managed to drive one of Linus (I hate C++) pet projects (Subsurface I think) from Gtk (C) to Qt(C++) by being unable to help the developers with even simple tasks, sometimes with the note that a feature may not work and had no maintainer at it for years.

    4. Re: Why sandbox it? by Anonymous Coward · · Score: 0

      See here:

      https://www.phoronix.com/scan.php?page=news_item&px=MTU2ODM

  7. Re:Linux is stupid by zwarte+piet · · Score: 1

    Windows are for watching outside.

  8. Undoing != Disabling by Anonymous Coward · · Score: 1

    Are they UNDOING it, by removing the code? Or are they simply disabling it, by assertion of a flag?

    Enquiring minds want to know..

  9. I got excited because I thought this was about by Anonymous Coward · · Score: 5, Funny

    removing systemd.

  10. Did I miss something? by Anonymous Coward · · Score: 0

    Is Ubuntu and Red Hat seriously going to say they've audited everything else? Otherwise the excuse is BS.

    There's a TON of crap in 'modern' distros. Smells an awful lot like they didn't want Gnome pushing a sandbox solution that isn't theirs (flatpak). Both Ubuntu and RH have their own. It is interesting at least in the patch version I've seen, the sandbox is more like a chroot. They aren't actually dropping any privileges nor restrictions. Red Hat copyright too.

  11. Re:Linux is stupid by Anonymous Coward · · Score: 1

    and peeking inside heh heh heh

  12. Re:Want a secure Linux, Un-Install Gnome 3 by Anonymous Coward · · Score: 0

    so's ur mom, but no one is calling for your uninstallation....yet.

  13. Use Devuan by walterbyrd · · Score: 0

    I am using it right now. Works great.

    I used to love Gnome, Ubuntu, and CentOS, now they all suck.

    1. Re: Use Devuan by Anonymous Coward · · Score: 0

      +1

    2. Re: Use Devuan by Anonymous Coward · · Score: 0

      slack here!

  14. Remember when.... by gerald.edward.butler · · Score: 1

    Everyone used to bitch about PulseAudtio? Pepperidge-Fa'm 'members!

    1. Re:Remember when.... by Anonymous Coward · · Score: 0

      That's because Pulse Audio made it easier to fix problems. Sound not working? (sudo apt-get autoremove pulseaudio) fixes it every time.

  15. Just ditch it by OneHundredAndTen · · Score: 1

    Gnome is good for consuming resources and for making it difficult to get anything done. Just ditch it.

    1. Re:Just ditch it by Anonymous Coward · · Score: 0

      I would use it, if I could afford 16GB RAM and SSD.
      For now I've never tried it except 1 minute at Gnome 3.2 on an old PC running nothing. Unless their pitch is "look, you can run three firefox tabs and two terminals, at the same time!"

  16. If Only by jmccue · · Score: 1

    If only there was an option to enable/disable this feature :)

  17. UBUNTU is CANCER by Anonymous Coward · · Score: 0

    Stick with the crooks you already know about: Micrapsoft

  18. Re:Linux is stupid by Anonymous Coward · · Score: 0

    Because I want a computer that is stable, secure and and doesn't spy on me.

  19. Re:Linux is stupid by Anonymous Coward · · Score: 0

    ...or decide that it wants to reboot even if I'm busy on it.

  20. The job of an editor is to edit. by Anonymous Coward · · Score: 0

    EDIT the submissions.

    "which kept the team busy and prevented them to audit the feature."

    "which kept the team busy and prevented them from auditing the feature."

    I know msmash is agenda driven but Jeez, this summary was bland and straightforward. Do your basic job.

  21. CentOS by Anonymous Coward · · Score: 0

    You truly get what you pay for.

  22. sounds like... by Anonymous Coward · · Score: 0

    It sounds like you are arguing against the shitty Band-aid because the shitty scab of code is fine.