Information
ID: 630
PHID: PHID-TASK-5ypghlijurqrjpnp26fl
Author: HulaHoop
Status at Migration Time: wontfix
Priority at Migration Time: Low
Description
Repost:
Automated browser downloads + bug ridden FS indexing parsers like KDE Baloo are a serious threat to systems and a really easy way to mount RCEs on desktops.
AFAIK Baloo is disabled by default but I’m not sure. Can you confirm that it is if its not the case? and of course we need to keep an eye out for it on Whonix Stretch.
Phoronix is the leading technology website for Linux hardware reviews, open-source news, Linux benchmarks, open-source benchmarks, and computer hardware performance tests.
Comments
HulaHoop
2017-04-13 19:23:29 UTC
JasonJAyalaP
2017-06-16 19:36:50 UTC
It appears that baloo is disabled by default. On a fresh WS:
balooctl status
it says disabled.
Baloo is installed by default in both GW and WS
If baloo shouldn’t be on by default in Whonix, then lets not include the baloo package (and 2 dependencies?) at all.
dpkg -l | baloo
Hmm but apt-get remove shows that dolphin and some whonix packages (??) depend on it.
Patrick
2017-06-16 19:41:11 UTC
JasonJAyalaP
2017-06-16 21:29:47 UTC
It’s off by default. If someone enables it by choice, should we warn them to turn it off? Warn them that it’s another attack vector? Is it a big enough security risk? whonixcheck shouldn’t be in charge of checking and warning the user about most modifications they make that may be attack vectors.
Compromise: Kick the problem to deb 10 and see if they’ve turned it on by default. Worry about it then.
Patrick
2017-06-16 23:17:47 UTC
JasonJAyalaP (Jason J. Ayala P.):
JasonJAyalaP added a comment.
It’s off by default. If someone enables it by choice, should we warn
them to turn it off? Warn them that it’s another attack vector? Is it
a big enough security risk?
Good question. My idea was to make sure it stays disabled in Debian 10
based Whonix later on. Perhaps that doesn’t belong into whonixcheck but
would more be part of an automated test suite.
Compromise: Kick the problem to deb 10 and see if they’ve turned it
on by default. Worry about it then.
Right.
Patrick
2018-11-20 15:59:47 UTC