Security Advisory 2023-12-07
In Dangerzone, a security vulnerability was detected in the quarantined environment where documents are opened. Vulnerabilities like this are expected and do not compromise the security of Dangerzone. However, in combination with another more serious vulnerability (also called container escape), a malicious document may be able to breach the security of Dangerzone. We are not aware of any container escapes that affect Dangerzone. To reduce that risk, you are strongly advised to update Dangerzone to the latest version.
A security vulnerability in GhostScript (CVE-2023-43115) affects the contained environment where the document rendering takes place. If one attempts to convert a malicious file with an embedded PostScript image, arbitrary code may run within that environment. Such files look like regular Office documents, which means that you cannot avoid a specific extension. Other programs that open Office documents, such as LibreOffice, are also affected, unless the system has been upgraded in the meantime.
The expectation is that malicious code will run in a container without Internet access, meaning that it won't be able to infect the rest of the system.
You are strongly advised to update your Dangerzone installation to 0.5.1 as soon as possible.
Please note that we have recently enabled security scans for our software, and we aim to alert people even sooner about vulnerabilities like these.