From: ludo@gnu.org (Ludovic Courtès)
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation?
Date: Fri, 24 Aug 2018 15:04:53 +0200 [thread overview]
Message-ID: <87y3cvlxu2.fsf@gnu.org> (raw)
In-Reply-To: <20180823210445.GA11845@jasmine.lan> (Leo Famulari's message of "Thu, 23 Aug 2018 17:04:45 -0400")
Hello Leo,
Leo Famulari <leo@famulari.name> skribis:
> For the last couple years, people have been finding exploitable bugs in
> the image processing system based on Ghostscript and ImageMagick /
> GraphicsMagick:
>
> http://seclists.org/oss-sec/2018/q3/142
> http://seclists.org/oss-sec/2016/q4/29
In this week’s discussions, it’s unclear to me why people are focusing
so much on ImageMagick and Evince when the real issue is in
Ghostscript’s ability to run arbitrary commands from PostScript code. I
rarely run ‘convert’ on PS files, but I do run ‘gs’ from different
sources: gv, Emacs Docview, Evince, ps2pdf, etc.
So I was wondering if we could arrange to provide a wrapper around ‘gs’
that would run it in a container that can only access its input and
output files, plus font files from the store. Now I wonder if I’m too
naive and if this would in practice require more work.
Thoughts?
There are a few applications that use libgs directly though, and these
would have to be treated separately.
> Despite these issues, these programs are still the best way to achieve
> some common image processing goals, so we have to think about how to
> make them safer.
>
> The primary recommendation seems to be setting a restrictive security
> policy in ImageMagick's policy.xml file, as described in the discussions
> linked above.
>
> Currently, Guix doesn't "set up" ImageMagick at all upon installation,
> which is different from some other systems like Debian and Fedora and
> their cousins, where the vulnerabilities are more dire [0]. Our
> ImageMagick package includes the default, unrestricted policy.xml.
>
> But, I'm wondering if anyone is using these tools in production from
> Guix and, if so, how they do it, and if they would like us to ship a
> non-default, more restrictive policy.xml in our package. And if so,
> could they write the policy.xml? :)
I agree that it would be good to provide a policy.xml somehow. On
GuixSD, we could provide it by default for new accounts (as a Shadow
“skeleton”.)
Thanks,
Ludo’.
next prev parent reply other threads:[~2018-08-24 13:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-23 21:04 Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation? Leo Famulari
2018-08-24 13:04 ` Ludovic Courtès [this message]
2018-08-24 19:10 ` Leo Famulari
2018-08-25 14:52 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y3cvlxu2.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).