From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation? Date: Fri, 24 Aug 2018 15:10:20 -0400 Message-ID: <20180824191020.GA25122@jasmine.lan> References: <20180823210445.GA11845@jasmine.lan> <87y3cvlxu2.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="k1lZvvs/B4yU6o8G" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47847) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ftHTb-0002sa-Ju for guix-devel@gnu.org; Fri, 24 Aug 2018 15:10:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ftHTX-0008Dj-7h for guix-devel@gnu.org; Fri, 24 Aug 2018 15:10:31 -0400 Content-Disposition: inline In-Reply-To: <87y3cvlxu2.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: guix-devel@gnu.org --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 24, 2018 at 03:04:53PM +0200, Ludovic Court=C3=A8s wrote: > In this week=E2=80=99s discussions, it=E2=80=99s unclear to me why people= are focusing > so much on ImageMagick and Evince when the real issue is in > Ghostscript=E2=80=99s ability to run arbitrary commands from PostScript c= ode. I > rarely run =E2=80=98convert=E2=80=99 on PS files, but I do run =E2=80=98g= s=E2=80=99 from different > sources: gv, Emacs Docview, Evince, ps2pdf, etc. I think they take for granted that Ghostscript should not handle untrusted input, so they are looking for ways that it may be invoked by other applications without the user's explicit consent. And, they are still picking the "low-hanging fruit" in this search, for example the thumbnailing thing. Apparently GNOME containerizes the thumbnailer in some cases with 'bubblewrap', but it requires the system to be set up properly (by us, for example). > So I was wondering if we could arrange to provide a wrapper around =E2=80= =98gs=E2=80=99 > that would run it in a container that can only access its input and > output files, plus font files from the store. Now I wonder if I=E2=80=99= m too > naive and if this would in practice require more work. >=20 > Thoughts? Yeah, that would be interesting. Are there any packages that have something similar right now? > I agree that it would be good to provide a policy.xml somehow. On > GuixSD, we could provide it by default for new accounts (as a Shadow > =E2=80=9Cskeleton=E2=80=9D.) Agreed, or at least alter the default copy that comes in the built package. --k1lZvvs/B4yU6o8G Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAluAWBkACgkQJkb6MLrK fwgltRAAu2OuzRfmhg6AkDkgz6Ig0SY7ZOWnGgFCLMl6O6kmmkcvD5CphD+6W09s F+yCV7CuQgzW5FfcgMt+vA5Du6nNIpFPyxfZn3wg3D+1Kfjo7J7BJ0i1R/ElAxDA 3MWsDoVi/ukCPnZsZAK8excXzaauNYong8io8JMwLGqkqhkxFoDflVRhNb2pKv8V kmhU99DMzYVMya2v/O/EBNxx3REqG9qeIeIrVI0+3Dv1hUxQ79yyOZP5skAK9zTi taIT1k8WZBvzUlegTIdVSJTGI6Yn4tnktHDHbhu5ge2PQkbLEiJT2HFQV1wHvaw+ 85g54QIU/7jJLgF3CwO+Tm/6KMf5Nm97TUS6Y84PPzmFHgVw+MiwaqgaznY11YK9 F3F+j3G+7UqjN3+GU8gRs06Dpz8aCCI7gTnixebI3oKw9quKZhfHAMt4D9FW3OHp PhZFO0fP+iFBCbf2eBfvNoIiDiIRYn+GNDTemICvymhq3MsL9yXGuAKiIxW5nuPb GSusOdES2+BJ1TFGG+yJ7hrrW6dVqv6ct0Yk1Jdhq+F8LYtC1YUwJvQWuRfeAchq UWdI1dGor0MV3X+2wFe6vZF4lEF6SDqGgT//cbRdlzH++GSpuqSSz2csMpU/MC7Y gIvYUONb/RgbNZwfqYID+VXTvqzD4UO6sJg5B6D9d2g0Qt5aaHs= =QZLS -----END PGP SIGNATURE----- --k1lZvvs/B4yU6o8G--