Security Advisory 2024-12-24
In Dangerzone, a security vulnerability was detected in the quarantined environment where documents are opened. Vulnerabilities like this are expected and do not compromise the security of Dangerzone. However, in combination with another more serious vulnerability (also called container escape), a malicious document may be able to breach the security of Dangerzone. We are not aware of any container escapes that affect Dangerzone. To reduce that risk, you are strongly advised to update Dangerzone to the latest version.
A series of vulnerabilities in gst-plugins-base (CVE-2024-47538, CVE-2024-47607 and CVE-2024-47615) affects the contained environment where the document rendering takes place.
If one attempts to convert a malicious file with an embedded Vorbis or Opus media elements, arbitrary code may run within that environment. Such files look like regular Office documents, which means that you cannot avoid a specific extension. Other programs that open Office documents, such as LibreOffice, are also affected, unless the system has been upgraded in the meantime.
The expectation is that malicious code will run in a container without Internet access, meaning that it won't be able to infect the rest of the system.
If you are running Dangerzone via the Qubes OS, you are not impacted.
You are strongly advised to update your Dangerzone installation to 0.8.1 as soon as possible.