The recent RCE in libcue and tracker3 GNOME settings in Bookworm
Hi!
After the recent RCE in libcue DSA-5524-1, CVE-2023-43641, [1], I've decided
to re-check that I have scanning of the ~/Downloads directory disabled for
GNOME Search. The Settings app of GNOME says it's disabled but if I do
gsettings get org.freedesktop.Tracker3.Miner.Files index-single-directories
it lists '@DOWNLOADS' along with '$HOME' (scanning of which is enabled).
IOW, it looks exactly as a bug discussed back then in [2,3].
I have executed
gsettings set org.freedesktop.Tracker3.Miner.Files \
index-single-directories '['\''$HOME'\'']'
and
systemctl --user restart tracker-miner-fs-3.service
to have the scanning of ~/Downloads disabled for sure (I hope) but this got me
thinking: is this situation warrants filing a bug against GNOME in Debian?
I should note that I have upgraded Debian on this particular device twice,
to the first Debian version with GNOME which has been installed was 10.
It's quite possible that the bug got triggered on an older version, and merely
presisted through upgrades, and if so, it may only affect the users in the
same situation.
1. https://lists.debian.org/debian-security-announce/2023/msg00217.html
2. https://discussion.fedoraproject.org/t/is-tracker-scanning-downloads-again-despite-the-folder-being-ignored/24828/7
3. https://bugzilla.redhat.com/show_bug.cgi?id=1900227
Reply to: