mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-04-29 02:12:36 +02:00
32 lines
1.5 KiB
Markdown
32 lines
1.5 KiB
Markdown
Security Advisory 2023-12-07
|
|
|
|
In Dangerzone, a security vulnerability was detected in the quarantined
|
|
environment where documents are opened. Vulnerabilities like this are expected
|
|
and do not compromise the security of Dangerzone. However, in combination with
|
|
another more serious vulnerability (also called container escape), a malicious
|
|
document may be able to breach the security of Dangerzone. We are not aware of
|
|
any container escapes that affect Dangerzone. **To reduce that risk, you are
|
|
strongly advised to update Dangerzone to the latest version**.
|
|
|
|
# Summary
|
|
|
|
A security vulnerability in GhostScript (CVE-2023-43115) affects the
|
|
**contained** environment where the document rendering takes place. If one
|
|
attempts to convert a malicious file with an embedded PostScript image,
|
|
arbitrary code may run within that environment. Such files look like regular
|
|
Office documents, which means that you cannot avoid a specific extension. Other
|
|
programs that open Office documents, such as LibreOffice, are also affected,
|
|
unless the system has been upgraded in the meantime.
|
|
|
|
# How does this impact me?
|
|
|
|
The expectation is that malicious code will run in a container without Internet
|
|
access, meaning that it won't be able to infect the rest of the system.
|
|
|
|
# What do I need to do?
|
|
|
|
You are **strongly** advised to update your Dangerzone installation to 0.5.1 as
|
|
soon as possible.
|
|
|
|
Please note that we have recently enabled security scans for our software, and
|
|
we aim to alert people even sooner about vulnerabilities like these.
|