From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation? Date: Thu, 23 Aug 2018 17:04:45 -0400 Message-ID: <20180823210445.GA11845@jasmine.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39635) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fswmh-0007bm-II for guix-devel@gnu.org; Thu, 23 Aug 2018 17:04:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fswmd-0000Yv-I6 for guix-devel@gnu.org; Thu, 23 Aug 2018 17:04:51 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:47637) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fswmd-0000Yn-8V for guix-devel@gnu.org; Thu, 23 Aug 2018 17:04:47 -0400 Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id C2ED7E4439 for ; Thu, 23 Aug 2018 17:04:45 -0400 (EDT) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --a8Wt8u1KmwUX3Y2C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline For the last couple years, people have been finding exploitable bugs in the image processing system based on Ghostscript and ImageMagick / GraphicsMagick: http://seclists.org/oss-sec/2018/q3/142 http://seclists.org/oss-sec/2016/q4/29 Despite these issues, these programs are still the best way to achieve some common image processing goals, so we have to think about how to make them safer. The primary recommendation seems to be setting a restrictive security policy in ImageMagick's policy.xml file, as described in the discussions linked above. Currently, Guix doesn't "set up" ImageMagick at all upon installation, which is different from some other systems like Debian and Fedora and their cousins, where the vulnerabilities are more dire [0]. Our ImageMagick package includes the default, unrestricted policy.xml. But, I'm wondering if anyone is using these tools in production from Guix and, if so, how they do it, and if they would like us to ship a non-default, more restrictive policy.xml in our package. And if so, could they write the policy.xml? :) [0] https://bugs.gnu.org/32515 --a8Wt8u1KmwUX3Y2C Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlt/IWwACgkQJkb6MLrK fwjT6BAAuNqGMYeEuv0bRgeZJ9TcORaYak1JrtnkfPdK1JvfLXDp8J0FX1twAfXI ufVQi4lfzDxMoDVTf9OdYLQQSSWXy5pA8geRsp8dnTQLm61cU5kM85pqAgTyO6yX BAjKyNw1fBrSRw3GM8+bPIiKvQZhs/1smDft+5EwbwOeqgCgKuWI5xOMYM88cYIm eqUkzECR22llXkuszelCgjuDE6hykIY5qxWphnLI65pqIunln+H7UB320iEbLOAn 3kG875smt9qWb47eznmGKN9mOhqdec/U2hqAIk2IKVDuk5E0gAD4IUPbsTNzU5/4 FzZV5d3cb+zUm6gBsgpNMa2p+e9CMFxmRlqucaZirt7fy+PUS8B8XeWczmcQoTYs CWjdtUAcgICgG/8bkGbr46ASf/hjaByFHn7uxIh3Zs/NC4Tp/oORmywfOgzdOp/R OmVb/EOZ6YX3augRdF6z86abOD1zQgFngKdkd1WX7X/SwLTlO67A17Bg0q81/Ur+ VGmKKPHuUJNnNUV94MwGcY7oSdi2I3B/YzNBrLiBi/JabmzkEPUadrY8v6rMLPQZ +/dui+GCPAMtxYiM7ec7EAbTi6L8BPoI6fnH5dPrdeheZmd5D6t1XGwnTPnhyUiF LykKoiZhSMRu0aILiu5YtaUUMAkqIfulEWN581TYqY+9CLDkn5A= =4t/2 -----END PGP SIGNATURE----- --a8Wt8u1KmwUX3Y2C--