mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-04-28 18:02:38 +02:00
33 lines
1.5 KiB
Markdown
33 lines
1.5 KiB
Markdown
Security Advisory 2024-12-24
|
|
|
|
In Dangerzone, a security vulnerability was detected in the quarantined
|
|
environment where documents are opened. Vulnerabilities like this are expected
|
|
and do not compromise the security of Dangerzone. However, in combination with
|
|
another more serious vulnerability (also called container escape), a malicious
|
|
document may be able to breach the security of Dangerzone. We are not aware of
|
|
any container escapes that affect Dangerzone. **To reduce that risk, you are
|
|
strongly advised to update Dangerzone to the latest version**.
|
|
|
|
# Summary
|
|
|
|
A series of vulnerabilities in gst-plugins-base (CVE-2024-47538, CVE-2024-47607
|
|
and CVE-2024-47615) affects the **contained** environment where the document
|
|
rendering takes place.
|
|
|
|
If one attempts to convert a malicious file with an embedded Vorbis or Opus
|
|
media elements, arbitrary code may run within that environment. Such files
|
|
look like regular Office documents, which means that you cannot avoid a specific
|
|
extension. Other programs that open Office documents, such as LibreOffice, are
|
|
also affected, unless the system has been upgraded in the meantime.
|
|
|
|
# How does this impact me?
|
|
|
|
The expectation is that malicious code will run in a container without Internet
|
|
access, meaning that it won't be able to infect the rest of the system.
|
|
|
|
If you are running Dangerzone via the Qubes OS, you are not impacted.
|
|
|
|
# What do I need to do?
|
|
|
|
You are **strongly** advised to update your Dangerzone installation to 0.8.1 as
|
|
soon as possible.
|