Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 915597 - xfce-base/xfce4-meta - for security reasons please support not pulling in xfce-base/tumbler
Summary: xfce-base/xfce4-meta - for security reasons please support not pulling in xfc...
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: XFCE Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-11 14:45 UTC by Sebastian Pipping
Modified: 2025-02-03 12:38 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Pipping gentoo-dev 2023-10-11 14:45:31 UTC
Hi XFCE team,

I noticed that (1) xfce-base/xfce4-meta unconditionally pulls in xfce-base/tumbler and (2) automatic generation of thumbnails raises security concerns (similar to [1]) and would be ideal to not happen at all on my desktop system given the size of the attack surface and the limited value.  I was able to disable some of it in Thunar but tumbler is still runing and xfce-base/xfce4-meta stands in my way of installing it as of today.

I'm not sure how okay or not okay XFCE will be without tumbler running or even without xfce-base/tumbler installed: "emerge --depclean xfce-base/tumbler" says it's only xfce4-meta.  Would you be open to e.g. change…

  --- >=xfce-base/tumbler-4.18.0
  +++ thumbnails? ( >=xfce-base/tumbler-4.18.0 )
  
…in the ebuild if feasible?  What do you think?  Thanks in advance!

[1] https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-10-11 15:43:54 UTC
I don't have a strong opinion.  My preference is that "meta" stays whatever upstream defaults to, and if you don't want it, then you don't use "meta".
Comment 2 Sven B. 2025-02-03 10:31:00 UTC
There is also always the option to disable thumbnail generation in

/etc/xdg/tumbler/tumbler.rc 

can even be done selectively.
Comment 3 Alexander Kurakin 2025-02-03 12:38:20 UTC
(In reply to Michał Górny from comment #1)
> I don't have a strong opinion.  My preference is that "meta" stays whatever
> upstream defaults to, and if you don't want it, then you don't use "meta".

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed815a0d0ef88b399ee809edff9db233075e07be could have changed it.