Opened 7 months ago
Closed 7 months ago
#18652 closed enhancement (fixed)
tracker-miners3-3.6.1
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | normal | Milestone: | 12.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version.
Change History (4)
comment:1 by , 7 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 7 months ago
comment:3 by , 7 months ago
This release does fix a security vulnerability if the optional external dependency 'libcue' is installed:
https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
https://gitlab.gnome.org/GNOME/tracker-miners/-/issues/277
If that package is installed, it's a one click remote code execution issue.
The original issue isn't in tracker-miners - however it does escape the seccomp sandbox that tracker-miners runs in, so we should expect a CVE for that soon. This version of tracker-miners fixes that sandbox escape.
Some of the tests fail now so I've put a comment in the book to that effect. Upstream is aware of those, but the package itself seems to function correctly
comment:4 by , 7 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
NEW in 3.6.1 - 2023-09-28 ========================= * Avoid the special thread in tracker-extract-3, and extend the seccomp jail to the full process. Translations: eo