almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Add security advisory 2023-12-07

Browse source
This commit is contained in:
Alex Pyrgiotis 2023-12-07 20:01:26 +02:00 committed by deeplow
parent 06b68f2572
commit 1ea21e52a5
No known key found for this signature in database
GPG key ID: 577982871529A52A
2 changed files with 37 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
CHANGELOG.md
View file

@ -15,9 +15,11 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
### Security
- Protect our container image against CVE-2023-43115, by updating GhostScript to version 10.02.0. Note that this CVE affects the **untrusted** environment where the conversion of the document to pixels takes place. Dangerzone operates under the assumption that this environment will eventually get exploited, which is why it protects the users in depth by running this environment in a hardened container, as a defense in depth measure. We are not aware of any container escape that impacts our users' security, but it's highly recommended to update to the latest Dangerzone version.
- Security advisory 2023-10-25: prevent dz-dvm network via dispVMs. This was officially communicated on the advisory date and is only included here since this is the first release since it was announced.
- [Security advisory 2023-12-07](https://github.com/freedomofpress/dangerzone/blob/main/docs/advisories/2023-12-07.md): Protect our container image against
CVE-2023-43115, by updating GhostScript to version 10.02.0.
- [Security advisory 2023-10-25](https://github.com/freedomofpress/dangerzone/blob/main/docs/advisories/2023-10-25.md): prevent dz-dvm network via dispVMs. This was
officially communicated on the advisory date and is only included here since
this is the first release since it was announced.
## Dangerzone 0.5.0

32
docs/advisories/2023-12-07.md Normal file
View file

@ -0,0 +1,32 @@
Security Advisory 2023-12-07
In Dangerzone, a security vulnerability was detected in the quarantined
environment where documents are opened. Vulnerabilities like this are expected
and do not compromise the security of Dangerzone. However, in combination with
another more serious vulnerability (also called container escape), a malicious
document may be able to breach the security of Dangerzone. We are not aware of
any container escapes that affect Dangerzone. **To reduce that risk, you are
strongly advised to update Dangerzone to the latest version**.
# Summary
A security vulnerability in GhostScript (CVE-2023-43115) affects the
**contained** environment where the document rendering takes place. If one
attempts to convert a malicious file with an embedded PostScript image,
arbitrary code may run within that environment. Such files look like regular
Office documents, which means that you cannot avoid a specific extension. Other
programs that open Office documents, such as LibreOffice, are also affected,
unless the system has been upgraded in the meantime.
# How does this impact me?
The expectation is that malicious code will run in a container without Internet
access, meaning that it won't be able to infect the rest of the system.
# What do I need to do?
You are **strongly** advised to update your Dangerzone installation to 0.5.1 as
soon as possible.
Please note that we have recently enabled security scans for our software, and
we aim to alert people even sooner about vulnerabilities like these.