From: Leo Famulari <leo@famulari.name>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation?
Date: Fri, 24 Aug 2018 15:10:20 -0400 [thread overview]
Message-ID: <20180824191020.GA25122@jasmine.lan> (raw)
In-Reply-To: <87y3cvlxu2.fsf@gnu.org>
[-- Attachment #1: Type: text/plain, Size: 1521 bytes --]
On Fri, Aug 24, 2018 at 03:04:53PM +0200, Ludovic Courtès wrote:
> In this week’s discussions, it’s unclear to me why people are focusing
> so much on ImageMagick and Evince when the real issue is in
> Ghostscript’s ability to run arbitrary commands from PostScript code. I
> rarely run ‘convert’ on PS files, but I do run ‘gs’ from different
> sources: gv, Emacs Docview, Evince, ps2pdf, etc.
I think they take for granted that Ghostscript should not handle
untrusted input, so they are looking for ways that it may be invoked by
other applications without the user's explicit consent. And, they are
still picking the "low-hanging fruit" in this search, for example the
thumbnailing thing.
Apparently GNOME containerizes the thumbnailer in some cases with
'bubblewrap', but it requires the system to be set up properly (by us,
for example).
> So I was wondering if we could arrange to provide a wrapper around ‘gs’
> that would run it in a container that can only access its input and
> output files, plus font files from the store. Now I wonder if I’m too
> naive and if this would in practice require more work.
>
> Thoughts?
Yeah, that would be interesting. Are there any packages that have
something similar right now?
> I agree that it would be good to provide a policy.xml somehow. On
> GuixSD, we could provide it by default for new accounts (as a Shadow
> “skeleton”.)
Agreed, or at least alter the default copy that comes in the built
package.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2018-08-24 19:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-23 21:04 Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation? Leo Famulari
2018-08-24 13:04 ` Ludovic Courtès
2018-08-24 19:10 ` Leo Famulari [this message]
2018-08-25 14:52 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180824191020.GA25122@jasmine.lan \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).