Ubuntu and CentOS disable GNOME Bubblewrap sandbox
Ubuntu and CentOS are disabling a security feature added to the GNOME desktop environment last year – Bubblewrap. This is a sandbox environment that was added to GNOME 3.26 as a thumbnail parser in July last year.
The primary function of the thumbnail parser is to read the files in the directory and create thumbnail images. This is done every time the user navigates to the folder, displaying a thumbnail of the data it contains. In recent years, researchers have shown that thumbnail resolution can be an attack vector. For security reasons, the GNOME team added Bubblewrap to all GNOME thumbnail parser scripts last year.
However, according to German security researcher Hanno Boeck, the Ubuntu operating system is currently disabling Bubblewrap support inside GNOME. Also, Google security researcher Tavis Ormandy found that the GNOME Bubblewrap sandbox environment is also missing in the default version of CentOS 7.x.
Alex Murray, head of security technology at Ubuntu, explained that GNOME’s Bubblewrap was disabled because there was no time or effort to review the feature. To ensure the quality of the distribution, all packages that are promoted (permissions) to [Ubuntu main] must go through a thorough review process. Bubblewrap is relatively new software, 2018 is a year of new vulnerabilities such as ghosts, blows, etc. The security team has limited energy and can’t cover everything.