From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation? Date: Sat, 25 Aug 2018 16:52:12 +0200 Message-ID: <871sambisj.fsf@gnu.org> References: <20180823210445.GA11845@jasmine.lan> <87y3cvlxu2.fsf@gnu.org> <20180824191020.GA25122@jasmine.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:32829) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ftZvC-00033A-Vs for guix-devel@gnu.org; Sat, 25 Aug 2018 10:52:15 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ftZvC-0001lK-4P for guix-devel@gnu.org; Sat, 25 Aug 2018 10:52:14 -0400 In-Reply-To: <20180824191020.GA25122@jasmine.lan> (Leo Famulari's message of "Fri, 24 Aug 2018 15:10:20 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari skribis: > On Fri, Aug 24, 2018 at 03:04:53PM +0200, Ludovic Court=C3=A8s wrote: >> In this week=E2=80=99s discussions, it=E2=80=99s unclear to me why peopl= e are focusing >> so much on ImageMagick and Evince when the real issue is in >> Ghostscript=E2=80=99s ability to run arbitrary commands from PostScript = code. I >> rarely run =E2=80=98convert=E2=80=99 on PS files, but I do run =E2=80=98= gs=E2=80=99 from different >> sources: gv, Emacs Docview, Evince, ps2pdf, etc. > > I think they take for granted that Ghostscript should not handle > untrusted input, so they are looking for ways that it may be invoked by > other applications without the user's explicit consent. And, they are > still picking the "low-hanging fruit" in this search, for example the > thumbnailing thing. > > Apparently GNOME containerizes the thumbnailer in some cases with > 'bubblewrap', but it requires the system to be set up properly (by us, > for example). That should work for us too, because AIUI bubblewrap falls back to using user namespaces when they=E2=80=99re available. Well, we probably need to = at least add bubblewrap as a dependency to Evince, to being with. >> So I was wondering if we could arrange to provide a wrapper around =E2= =80=98gs=E2=80=99 >> that would run it in a container that can only access its input and >> output files, plus font files from the store. Now I wonder if I=E2=80= =99m too >> naive and if this would in practice require more work. >>=20 >> Thoughts? > > Yeah, that would be interesting. Are there any packages that have > something similar right now? No, but we need to start somewhere. :-) >> I agree that it would be good to provide a policy.xml somehow. On >> GuixSD, we could provide it by default for new accounts (as a Shadow >> =E2=80=9Cskeleton=E2=80=9D.) > > Agreed, or at least alter the default copy that comes in the built > package. Indeed, we can also do that. Thanks, Ludo=E2=80=99.