From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation? Date: Fri, 24 Aug 2018 15:04:53 +0200 Message-ID: <87y3cvlxu2.fsf@gnu.org> References: <20180823210445.GA11845@jasmine.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59211) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ftBlq-0005Ae-Rq for guix-devel@gnu.org; Fri, 24 Aug 2018 09:05:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ftBln-0007bF-Ge for guix-devel@gnu.org; Fri, 24 Aug 2018 09:04:58 -0400 In-Reply-To: <20180823210445.GA11845@jasmine.lan> (Leo Famulari's message of "Thu, 23 Aug 2018 17:04:45 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Hello Leo, Leo Famulari skribis: > For the last couple years, people have been finding exploitable bugs in > the image processing system based on Ghostscript and ImageMagick / > GraphicsMagick: > > http://seclists.org/oss-sec/2018/q3/142 > http://seclists.org/oss-sec/2016/q4/29 In this week=E2=80=99s discussions, it=E2=80=99s unclear to me why people a= re focusing so much on ImageMagick and Evince when the real issue is in Ghostscript=E2=80=99s ability to run arbitrary commands from PostScript cod= e. I rarely run =E2=80=98convert=E2=80=99 on PS files, but I do run =E2=80=98gs= =E2=80=99 from different sources: gv, Emacs Docview, Evince, ps2pdf, etc. So I was wondering if we could arrange to provide a wrapper around =E2=80= =98gs=E2=80=99 that would run it in a container that can only access its input and output files, plus font files from the store. Now I wonder if I=E2=80=99m = too naive and if this would in practice require more work. Thoughts? There are a few applications that use libgs directly though, and these would have to be treated separately. > Despite these issues, these programs are still the best way to achieve > some common image processing goals, so we have to think about how to > make them safer. > > The primary recommendation seems to be setting a restrictive security > policy in ImageMagick's policy.xml file, as described in the discussions > linked above. > > Currently, Guix doesn't "set up" ImageMagick at all upon installation, > which is different from some other systems like Debian and Fedora and > their cousins, where the vulnerabilities are more dire [0]. Our > ImageMagick package includes the default, unrestricted policy.xml. > > But, I'm wondering if anyone is using these tools in production from > Guix and, if so, how they do it, and if they would like us to ship a > non-default, more restrictive policy.xml in our package. And if so, > could they write the policy.xml? :) I agree that it would be good to provide a policy.xml somehow. On GuixSD, we could provide it by default for new accounts (as a Shadow =E2=80=9Cskeleton=E2=80=9D.) Thanks, Ludo=E2=80=99.