Security Vulnerability report #591
Comments
|
One of the team members most familiar with Engrampa's code would be best for this. I haven't done much with Engrampa myself beyond the usual testing of PR's and bugfixes. If you find a wayland specific vulnerbility anywhere in MATE's new wayland support I will be the one that needs to know. |
|
The right repository is https://github.com/mate-desktop/engrampa |
|
I guess @zhuyaliang might be the best contact as he's been the most active there, but he'd have to acknowledge he's OK with that. I might be able to help, but I don't have a lot of experience with engrampa. I have reasonable understanding of security issues and how C actually works to potentially help fixing it if it has some subtleties to it though. Depending on the impact we might however need a point release soon enough… @raveit65 @lukefromdc do we have a way to easily coordinate things like that in private? e.g. @mate-desktop/core-team members only, where we can discuss things like that? |
|
Discussions in core-team are only accessible by core-team members. I don't want to add a outside collaborator to core-team with all rights for all repositories. |
|
Yeah, or we could simply discuss it internally after one of us got the info and relay it. Yet, I can't seem to find the team discussions anymore? I see a link to some old JSON data, but nothing else… guess I'm missing something? |
|
Github did a redesign to make it better (ha ha) and hide old projects and their discussions. They called projects (classics). |
|
@cwendling Edit: core-team is the parent of security-discussions group. |
|
@raveit65 Apparently I don't have enough rights, but I just asked to join. You probably need to up some rights for me if I should be able to do that. |
I see the projects and their related issues, but don't see discussions there? What I was referring to before was "Team post archive" in the sidebar at https://github.com/orgs/mate-desktop/teams/core-team. Apparently we're now supposed to use the Discussions feature? But IIUC we don't have it enabled, and I don't think I can manage that either :) If Discussions works and has support for private threads, that could work. |
My fault, old discussions are archived here https://github.com/orgs/mate-desktop/teams/core-team/members/archived_team_posts.json
Hmm, i thought all member of a parent group are inside the child group. ........ i need to add all core-teams member by hand :/ Update: you're now maintainer of this group. |
|
@raveit65 I can't seem to add people not member of the org… Anyway, if we had him/her in there (or contacted by email and forwarded), where would we discuss that privately? |
|
@cwendling Anyway, i need to setup the group new because child group receive notifications of the parent group :/ |
Nope, I had the UI but everything was grayed-out for non-organization members |
|
You are now in this group as maintainer, try again please. Edit: I need to select the user from list first, than the button isn't greyed-out |
|
Nope, still no luck: |
|
Hmm, i can select the gey-out entry in the drop-own list and after that the button isn't grey out. Ok, if this doesn't work than only organization owners can add more member, which is annoying. |
|
I enabled discussions and a created a post, but it seems the post is public. Or i missed something. |
|
@raveit65 see above, it seems there's a feature just for this that can be enabled. |
|
Anyway, discussion feature can be used for public discussions or announcements (etc. releases), so it wasn't bad to enable them. |
|
@febinrev @mate-desktop/core-team |
|
Literally the only way I would know to do this privately (I have little experience doing
anything fancy online) would be separate emails to each of us, direct person to person
sending of proposed patches-and the fix being merged and a point release issued
being the first sign of it on github. Cumbersome but secret. Google might steal the
data if anyone is on Gmail but would be unlikely to spill it barring a malicious party
in Google finding in by chance on an email server.
We could issue an advisary for now advising disconnection from the Internet prior
to opening any unknown file in Engrampa to block command and control servers.
For high security cases, making Engrampa sure has exited before reconnecting. This
would block most remote exploits. Remember that a local exploit in a downloaded
file BECOMES a remote exploit if the payload opens any network connection.
|
Just reported the vulnerability there! @raveit65 |
Disconnection from the internet/network would not be an ideal solution for exploits that are coming from crafted archives, most exploits that come from archives would be Path traversals, buffer overflows, and logic flaws. These attacks can't be prevented by internet disconnection/isolation. The vulnerability I just reported is such a vulnerability, in which the crafted archive writes some file/script somewhere and that file will be executed after some time, probably triggered after a reboot/relogin. |
|
That means such archives should not be opened at all, and until this is fixed archives not from a trusted source have to be treated as though they were attachments in an untrusted email: open only from a live USB stick system. Royal nuisance, few will do this, so we cannot recommend any mitigation people will actually use until this is fixed. |
|
Closing this. Discussions should be done in Security Vulnerability report at https://github.com/mate-desktop/engrampa/security/advisories |
I am a security researcher, and I have found a security vulnerability in the default archive manager of MATE DE. The affected software is Engrampa Archive Manager and the vulnerability is capable of Remote Command Execution upon extracting a crafted Archive.
I would like to safely disclose the details about the vulnerability to MATE devs, please provide me with the right contact information to report the bug.
My Email: febin.sec@gmail.com
Thanks,
Febin
The text was updated successfully, but these errors were encountered: