Opened 18 months ago
Closed 17 months ago
#18715 closed defect (fixed)
Fix tracker-miners crash on all architectures after the fix for CVE-2023-5557 (released in tracker-miners-3.6.1)
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | normal | Milestone: | 12.1 |
| Component: | BOOK | Version: | git |
| Severity: | critical | Keywords: | |
| Cc: |
Description ¶
After installing tracker-miners-3.6.1 on a 32-bit system, it will crash due to a seccomp sandbox violation.
CVE-2023-5557 has been assigned for the sandbox escape vulnerability that was fixed in tracker-miners-3.6.1. This sandbox escape vulnerability has been exploited at least once.
I'm currently working with upstream to get this problem resolved, but I'm filing a ticket to make it easier to track and for the changelog.
This problem originally shows up in the tests, but happens if you kick tracker-miners off by opening Nautilus as well (or download a file while GNOME is open). Here's the results of a test of 3.6.1 in comparison to 3.6.0:
3.6.1
Summary of Failures: 18/74 tracker-miners:extractor+audio / mp3-id3v2.4-1 FAIL 0.80s exit status 1 19/74 tracker-miners:extractor+desktop / application FAIL 0.78s exit status 1 20/74 tracker-miners:extractor+audio / mp3-id3v2.3-empty-artist-album FAIL 0.86s exit status 1 21/74 tracker-miners:extractor+images / bmp-basic-1 FAIL 0.78s exit status 1 22/74 tracker-miners:extractor+audio / mp3-id3v2.4-2 FAIL 0.87s exit status 1 23/74 tracker-miners:extractor+desktop / link-wikipedia-tracker FAIL 0.86s exit status 1 26/74 tracker-miners:extractor+office / abw-1 FAIL 1.04s exit status 1 29/74 tracker-miners:extractor+images / ico-basic-1 FAIL 1.05s exit status 1 30/74 tracker-miners:extractor+images / jpeg-region-of-interest FAIL 1.28s exit status 1 31/74 tracker-miners:extractor+images / jpeg-basic FAIL 1.29s exit status 1 32/74 tracker-miners:extractor+images / jpeg-gps-location FAIL 1.29s exit status 1 33/74 tracker-miners:extractor+audio / vorbis-musicbrainz FAIL 1.33s exit status 1 34/74 tracker-miners:extractor+images / gif-comment-extension-block FAIL 1.29s exit status 1 35/74 tracker-miners:extractor+audio / flac-musicbrainz FAIL 1.34s exit status 1 36/74 tracker-miners:extractor+images / png-basic FAIL 0.81s exit status 1 37/74 tracker-miners:extractor+images / raw-cr2 FAIL 1.02s exit status 1 38/74 tracker-miners:extractor+images / tiff-basic FAIL 1.03s exit status 1 39/74 tracker-miners:extractor+images / gif-xmp FAIL 1.07s exit status 1 40/74 tracker-miners:extractor+images / png-region-of-interest FAIL 1.05s exit status 1 42/74 tracker-miners:extractor+playlists / playlist-test-1 FAIL 0.82s exit status 1 43/74 tracker-miners:extractor+office / office-doc FAIL 0.83s exit status 1 44/74 tracker-miners:extractor+office / epub-doc-1 FAIL 0.86s exit status 1 45/74 tracker-miners:extractor+office / powerpoint FAIL 0.91s exit status 1 46/74 tracker-miners:extractor+office / oasis-doc FAIL 0.94s exit status 1 47/74 tracker-miners:extractor+office / office-xml-doc-1 FAIL 0.93s exit status 1 48/74 tracker-miners:extractor+office / pdf-doc FAIL 0.75s exit status 1 49/74 tracker-miners:extractor+office / pptx-presentation-1 FAIL 0.59s exit status 1 50/74 tracker-miners:extractor+office / ps-doc FAIL 0.70s exit status 1 51/74 tracker-miners:extractor+office / pdf-encrypted FAIL 0.72s exit status 1 52/74 tracker-miners:extractor+office / xlsx-spreadsheet-1 FAIL 0.73s exit status 1 53/74 tracker-miners:extractor+office / ps-doc-atend FAIL 0.91s exit status 1 54/74 tracker-miners:extractor+office / psgz-doc FAIL 1.09s exit status 1 55/74 tracker-miners:extractor+video / mkv-basic FAIL 1.03s exit status 1 56/74 tracker-miners:extractor+office / html-1 FAIL 1.06s exit status 1 57/74 tracker-miners:extractor+video / mov-basic FAIL 0.92s exit status 1 58/74 tracker-miners:extractor+office / xps-doc-1 FAIL 1.06s exit status 1 59/74 tracker-miners:extractor+video / mp4-basic FAIL 0.78s exit status 1 60/74 tracker-miners:extractor+video / mp4-video-without-audio FAIL 1.05s exit status 1 61/74 tracker-miners:functional / test_miner_basic FAIL 14.77s exit status 1 62/74 tracker-miners:functional / test_cli FAIL 22.91s exit status 1 63/74 tracker-miners:functional / test_fts_stopwords FAIL 23.89s exit status 1 64/74 tracker-miners:functional / test_fts_file_operations FAIL 23.95s exit status 1 65/74 tracker-miners:functional / test_extractor_decorator FAIL 24.63s exit status 1 66/74 tracker-miners:functional / test_fts_basic FAIL 25.29s exit status 1 68/74 tracker-miners:functional / test_miner_removable_media FAIL 22.91s exit status 1 69/74 tracker-miners:functional / test_miner_resource_removal FAIL 21.85s exit status 1 70/74 tracker-miners:functional / test_writeback_images FAIL 21.36s exit status 1 71/74 tracker-miners:functional / test_writeback_audio FAIL 22.99s exit status 1 74/74 tracker-miners:miner-fs+slow / miner-miner-fs TIMEOUT 180.10s killed by signal 15 SIGTERM Ok: 25 Expected Fail: 0 Fail: 48 Unexpected Pass: 0 Skipped: 0 Timeout: 1
3.6.0
Ok: 74 Expected Fail: 0 Fail: 0 Unexpected Pass: 0 Skipped: 0 Timeout: 0
A coredump isn't too helpful at the moment as it only says vsyscall_handler for the function name, but does not give the actual syscall that triggered the violation. I'll be installing strace to get more information since tracker-miner's SIGSYS handler is not functional at the moment.
Change History (6)
comment:1 by , 18 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 18 months ago
comment:3 by , 17 months ago
The commits upstream that were put in a couple days ago are still showing problems, so I've created https://gitlab.gnome.org/GNOME/tracker-miners/-/issues/289
The syscall in question is the 'chmod' syscall
comment:4 by , 17 months ago
From the patch's description:
Description: Fixes several problems with the recent seccomp sandbox
tightening as a result of CVE-2023-5557. In particular,
this fixes crashes with a SIGSYS on i686, armhf, aarch64,
ppc32, and ppc64le architectures, but also handles the
netfilter syscalls on all architectures and prevents
the open/openat() flags from being used, and disallows
close/dup2/dup3() on standard I/O FDs.
These are effectively !490, !496, !480, and !488
upstream, and fixes issues #289, #285, #287, #288,
#284, #283, #281, and #280 upstream.
On all architectures, this patch will also output the
syscall that was used when crashing with a SIGSYS.
comment:5 by , 17 months ago
| Summary: | Fix tracker-miners crash on i686 after the fix for CVE-2023-5557 (released in tracker-miners-3.6.1) → Fix tracker-miners crash on all architectures after the fix for CVE-2023-5557 (released in tracker-miners-3.6.1) |
|---|
comment:6 by , 17 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at 219e2d6e443c8d98797a0499c68c9942c1b01d88
SA-12.0-034 issued for tracker-miners.
Note:
See TracTickets
for help on using tickets.
Link to upstream issue: https://gitlab.gnome.org/GNOME/tracker-miners/-/issues/284