Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ubuntu and CentOS Are Undoing a GNOME Security Feature (bleepingcomputer.com)

Posted by msmash on from the what's-happening dept.

An anonymous reader writes: Current versions of Ubuntu and CentOS are disabling a security feature that was added to the GNOME desktop environment last year. The feature's name is Bubblewrap, which is a sandbox environment that the GNOME Project added to secure GNOME's thumbnail parsers in July 2017, with the release of GNOME 3.26. In recent years, security researchers have proven that thumbnail parses can be an attack vector [1, 2, 3].

Ubuntu Security Tech Lead Alex Murray said the Ubuntu team chose to disable Bubblewrap inside Ubuntu because they did not have the time to perform a security audit. Murray blamed the many CPU bugs (Spectre, Meltdown, etc.), which kept the team busy and prevented them to audit the feature.

4 of 66 comments (clear)

  1. Good by Aighearach · · Score: 4, Insightful

    The last thing we need is additional layers of minimally-tested software promising to protect people.

  2. Doesn't seem very controversial by Xylantiel · · Score: 4, Insightful

    So a new security feature isn't getting wider distribution (yet) because there weren't enough resources to get it ready. This just doesn't seem very controversial.

    1. Re:Doesn't seem very controversial by Aighearach · · Score: 4, Interesting

      We won't know if it is really a security feature unless somebody audits the code.

      Code that is not a security feature, but thinks it is, is even more dangerous than an unpatched bug.

      It doesn't seem controversial because you didn't understand it yet. Keep trying. When you understand the controversy, that's when you'll have started understanding the controversy.

  3. I got excited because I thought this was about by Anonymous Coward · · Score: 5, Funny

    removing systemd.