Nicholas Geovanis, on 2019-10-02: > Henning Follmann, on 2019-10-02: > > On Wed, Oct 02, 2019 at 09:27:37AM -0400, Carl Fink wrote: > > > On Wed, Oct 02, 2019 at 08:41:11AM -0400, Henning Follmann wrote: > > > > only PDF/A is OK every other PDF, throw it out. > > > > No multimedia (movies, mp3). > > > > > > Really? MP3? Paranoid much? > > > > Well, maybe. > > OTOH these massive exploits these days were considered very unlikely some > > time ago. And a vectors in remains a vector in, and most likely becomes > > a common attack vector. Your point because it is not widely used _now_, > > it is safe, is just ridiculous. > > True enough but with the following difference: By > specification, to the best of my amateur knowledge, the MP3 > format does not permit executable content. Whereas Word and PDF > files do. I don't believe MP3 allows executable code by specifications either, so shouldn't the PNG image format. But think of DSA 4435 which affected libpng earlier this year. When the OS library for handling multimedia has flaws, if an HTML email embeds a specifically crafted PNG image inlined in the content, then you wouldn't even have to hit the “preview” button to be screwed: https://www.debian.org/security/2019/dsa-4435 tomás, on 2019-10-02: > Specifically for MP3 there seem to have been player vulnerabilities, > including some of the "code execution" flavour. > > IOW a vulnerable renderer is just some kind of (Rube-Goldbergian) > interpreter :-) Yup, that's the idea. Even if the format is clean, there might be bugs in libraries interpreting that format. Kids, keep your systems up to date! Going back to the main topic leveraged by Keith, setting apparmor(7) policies /may/ be a bit more helpful than doing a mount noexec in these situations, if I understood properly its purpose. The nice thing is that Debian does it for you! MUAs like Thunderbird come with what I believe would be appropriate Apparmor default settings; although having a look inside /etc/apparmor.d/usr.bin.thunderbird shows a lot of work TODO left. It should prevent effects of such attacks by limiting the area of action of the whole thunderbird process, and its children processes I would expect, to only a fraction of the resources available on the machine, in case some operation on untrusted data goes rogue[1]. [1] although, the apparmor profile does give a lot of margin to the /usr/bin/thunderbird process relative to the home directory, primarily to not break the “Save as...” button, so it depends on what the attacker will target. Kind Regards, :) -- Étienne Mollier <etienne.mollier@mailoo.org> Fingerprint: 5ab1 4edf 63bb ccff 8b54 2fa9 59da 56fe fff3 882d
Attachment:
signature.asc
Description: OpenPGP digital signature