ubuntu-appstore-developers team mailing list archive

[Jamie Strandboge <jamie@xxxxxxxxxxxxx>]

On 09/06/2013 08:15 AM, Ted Gould wrote:
> On Fri, 2013-09-06 at 07:51 -0500, Jamie Strandboge wrote:
>> On 09/05/2013 10:10 PM, Ted Gould wrote:
>> > Which brings up an interesting attack possibility.  An application with a
>> > corrupted application icon that gets loaded directly by Unity.  You wouldn't
>> > even need to have the app installed as browsing through the click scope would be
>> > enough.  Most icon loaders should be pretty robust by now...
>> > 
>>
>> Yes, this is something I considered. For now I think we just have to treat that
>> as a security vulnerability in Unity/the underlying libraries like we do now.
>> Ultimately, I think we should probably handle it like gettext and the
>> infographic-- icon loading is handled in a separate process with an apparmor
>> profile and ideally seccomp. Do you know otoh what I should file this wishlist
>> bug against?
> 
> No, it would be a bit unclear.  If nothing else, because hopefully soon we'd be
> giving things like JPEGs directly to the GPU to decode.  (though, we've been
> saying that for years)
> 
Those will be fun security vulns to fix :)

> Another thought that I had was that perhaps we could just decompress and
> recompress the icons server side.  Basically upload, convert to XPM, then back
> to PNG.  If an attack can survive in an XPM it deserves to live :-)
> 
That would be fine for the app store. It doesn't solve people installing 3rd
party apps that they just download. This isn't supported of course, but part of
security in depth and being robust is considering something like this.

-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature