If you’re a Linux user, you obviously know the name of GNOME – one of the most popular desktop environments of all. Over the period of time, it found its way in all the major Linux distros – Ubuntu, Linux Mint, Debian, CentOS and a lot more. GNOME also went through a long process for upgrades and modifications. Now, Ubuntu and CentOS (current versions) are disabling a security feature of GNOME. This security feature was introduced back in 2017.
The name of the feature is Bubblewrap. This is a sandbox environment that provides the secure GNOME thumbnail parsers with the release of GNOME 3.26.
Bubblewrap – protection to the thumbnailing
Thumbnails are the little icons that sit next to each of the files and folders/directories to give you a slight idea what you can expect inside it. The little icons are actually pretty useful and some of the thumbnails are now the synonyms of different popular software.
Each time you navigate through a file or folder/directory, the system generates thumbnails. This process is performed automatically by thumbnail parsers – scripts that create the icon.
In recent years, security researchers identified that thumbnail parsers can also act as an attack vector when a hacker can trick a user into downloading a trap file on their desktop. The thumbnail parser then executes the malicious code.
This is the reason why GNOME Project added the Bubblewrap feature for the thumbnail parser scripts in GNOME.
According to a German journalist and security researcher Hanno Boeck, Ubuntu is currently disabling the Bubblewrap support inside their GNOME shell environment for all the recent OS versions.
According to Google security researcher Tavis Ormandy, the Bubblewrap sandboxes were also not present in the default CentOS 7.x version.
However, Ubuntu has a valid and reasonable explanation for the behavior. Alex Murray, Ubuntu Security Tech Lead at Canonical described that Ubuntu team opted to disable the feature because they didn’t have enough time and resource to audit the Bubblewrap feature.
According to Murray, Bubblewrap is relatively a new piece of software that performs complicated things to set up those sandboxes. They didn’t want to enable the feature because even if there’s any possible vulnerability in the process itself, then it may cause major disasters.
Murray also said that criticizes are valid. However, for making sure to provide a high-quality distro, every single package has to undergo through a thorough review process and that takes time. He also assured that the feature is most likely to get to the mainstream.