From 1ea21e52a50123196e84d54e755c795af2378ab6 Mon Sep 17 00:00:00 2001 From: Alex Pyrgiotis Date: Thu, 7 Dec 2023 20:01:26 +0200 Subject: [PATCH] Add security advisory 2023-12-07 --- CHANGELOG.md | 8 +++++--- docs/advisories/2023-12-07.md | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 3 deletions(-) create mode 100644 docs/advisories/2023-12-07.md diff --git a/CHANGELOG.md b/CHANGELOG.md index b94b95a..80a1818 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,9 +15,11 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or ### Security -- Protect our container image against CVE-2023-43115, by updating GhostScript to version 10.02.0. Note that this CVE affects the **untrusted** environment where the conversion of the document to pixels takes place. Dangerzone operates under the assumption that this environment will eventually get exploited, which is why it protects the users in depth by running this environment in a hardened container, as a defense in depth measure. We are not aware of any container escape that impacts our users' security, but it's highly recommended to update to the latest Dangerzone version. - -- Security advisory 2023-10-25: prevent dz-dvm network via dispVMs. This was officially communicated on the advisory date and is only included here since this is the first release since it was announced. +- [Security advisory 2023-12-07](https://github.com/freedomofpress/dangerzone/blob/main/docs/advisories/2023-12-07.md): Protect our container image against + CVE-2023-43115, by updating GhostScript to version 10.02.0. +- [Security advisory 2023-10-25](https://github.com/freedomofpress/dangerzone/blob/main/docs/advisories/2023-10-25.md): prevent dz-dvm network via dispVMs. This was + officially communicated on the advisory date and is only included here since + this is the first release since it was announced. ## Dangerzone 0.5.0 diff --git a/docs/advisories/2023-12-07.md b/docs/advisories/2023-12-07.md new file mode 100644 index 0000000..4b13aa6 --- /dev/null +++ b/docs/advisories/2023-12-07.md @@ -0,0 +1,32 @@ +Security Advisory 2023-12-07 + +In Dangerzone, a security vulnerability was detected in the quarantined +environment where documents are opened. Vulnerabilities like this are expected +and do not compromise the security of Dangerzone. However, in combination with +another more serious vulnerability (also called container escape), a malicious +document may be able to breach the security of Dangerzone. We are not aware of +any container escapes that affect Dangerzone. **To reduce that risk, you are +strongly advised to update Dangerzone to the latest version**. + +# Summary + +A security vulnerability in GhostScript (CVE-2023-43115) affects the +**contained** environment where the document rendering takes place. If one +attempts to convert a malicious file with an embedded PostScript image, +arbitrary code may run within that environment. Such files look like regular +Office documents, which means that you cannot avoid a specific extension. Other +programs that open Office documents, such as LibreOffice, are also affected, +unless the system has been upgraded in the meantime. + +# How does this impact me? + +The expectation is that malicious code will run in a container without Internet +access, meaning that it won't be able to infect the rest of the system. + +# What do I need to do? + +You are **strongly** advised to update your Dangerzone installation to 0.5.1 as +soon as possible. + +Please note that we have recently enabled security scans for our software, and +we aim to alert people even sooner about vulnerabilities like these.