group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1648921] Re: Sandbox the tracker extractor

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Jeremy Bicha <jeremy@xxxxxxxxx>
Date: Mon, 06 Mar 2017 19:38:08 -0000
Reply-to: Bug 1648921 <1648921@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: tracker (Ubuntu Yakkety)
       Status: Fix Committed => Won't Fix

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1648921

Title:
  Sandbox the tracker extractor

Status in Tracker:
  Fix Released
Status in tracker package in Ubuntu:
  Fix Released
Status in tracker source package in Xenial:
  Won't Fix
Status in tracker source package in Yakkety:
  Won't Fix

Bug description:
  * SECURITY UPDATE: extractor now runs in a sandbox confined by libseccomp
      - extractor's filesystem and network access is limited to being read and
        local only (LP: #1648921)
      - No CVE number

  The tracker developers have recently confined their extractor to
  attempt to make tracker more resilient to attacks, especially
  involving flaws in gstreamer parsers.

  There is no CVE number assigned to this issue.

  https://lwn.net/Articles/708196/
  https://scarybeastsecurity.blogspot.com/2016/11/0day-poc-risky-design-decisions-in.html

  The gstreamer security fixes are being handled separately. See bug
  1619600

To manage notifications about this bug go to:
https://bugs.launchpad.net/tracker/+bug/1648921/+subscriptions