The recent RCE in libcue and tracker3 GNOME settings in Bookworm

To: debian-security@lists.debian.org
Subject: The recent RCE in libcue and tracker3 GNOME settings in Bookworm
From: Konstantin Khomoutov <kostix@bswap.ru>
Date: Thu, 12 Oct 2023 13:27:22 +0300
Message-id: <[🔎] 20231012102722.aexbkl4ce4zipdqv@carbon>

Hi!

After the recent RCE in libcue DSA-5524-1, CVE-2023-43641, [1], I've decided
to re-check that I have scanning of the ~/Downloads directory disabled for
GNOME Search. The Settings app of GNOME says it's disabled but if I do

  gsettings get org.freedesktop.Tracker3.Miner.Files index-single-directories

it lists '@DOWNLOADS' along with '$HOME' (scanning of which is enabled).
IOW, it looks exactly as a bug discussed back then in [2,3].

I have executed 

 gsettings set org.freedesktop.Tracker3.Miner.Files \
   index-single-directories '['\''$HOME'\'']'

and

 systemctl --user restart tracker-miner-fs-3.service

to have the scanning of ~/Downloads disabled for sure (I hope) but this got me
thinking: is this situation warrants filing a bug against GNOME in Debian?

I should note that I have upgraded Debian on this particular device twice,
to the first Debian version with GNOME which has been installed was 10.
It's quite possible that the bug got triggered on an older version, and merely
presisted through upgrades, and if so, it may only affect the users in the
same situation.

 1. https://lists.debian.org/debian-security-announce/2023/msg00217.html
 2. https://discussion.fedoraproject.org/t/is-tracker-scanning-downloads-again-despite-the-folder-being-ignored/24828/7
 3. https://bugzilla.redhat.com/show_bug.cgi?id=1900227

Reply to:

Prev by Date: Re: Bug#1040901: Upcoming changes to Debian Linux kernel packages
Next by Date: Re: Bug#1040901: Upcoming changes to Debian Linux kernel packages
Previous by thread: Re: Upcoming stable (12.2) and oldstable (11.8) point releases
Index(es):
- Date
- Thread