Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation?

Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation?

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1099 bytes --]

For the last couple years, people have been finding exploitable bugs in
the image processing system based on Ghostscript and ImageMagick /
GraphicsMagick:

http://seclists.org/oss-sec/2018/q3/142
http://seclists.org/oss-sec/2016/q4/29

Despite these issues, these programs are still the best way to achieve
some common image processing goals, so we have to think about how to
make them safer.

The primary recommendation seems to be setting a restrictive security
policy in ImageMagick's policy.xml file, as described in the discussions
linked above.

Currently, Guix doesn't "set up" ImageMagick at all upon installation,
which is different from some other systems like Debian and Fedora and
their cousins, where the vulnerabilities are more dire [0]. Our
ImageMagick package includes the default, unrestricted policy.xml.

But, I'm wondering if anyone is using these tools in production from
Guix and, if so, how they do it, and if they would like us to ship a
non-default, more restrictive policy.xml in our package. And if so,
could they write the policy.xml? :)

[0] https://bugs.gnu.org/32515

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation?

[Ludovic Courtès]

Hello Leo,

Leo Famulari <leo@famulari.name> skribis:

> For the last couple years, people have been finding exploitable bugs in
> the image processing system based on Ghostscript and ImageMagick /
> GraphicsMagick:
>
> http://seclists.org/oss-sec/2018/q3/142
> http://seclists.org/oss-sec/2016/q4/29

In this week’s discussions, it’s unclear to me why people are focusing
so much on ImageMagick and Evince when the real issue is in
Ghostscript’s ability to run arbitrary commands from PostScript code.  I
rarely run ‘convert’ on PS files, but I do run ‘gs’ from different
sources: gv, Emacs Docview, Evince, ps2pdf, etc.

So I was wondering if we could arrange to provide a wrapper around ‘gs’
that would run it in a container that can only access its input and
output files, plus font files from the store.  Now I wonder if I’m too
naive and if this would in practice require more work.

Thoughts?

There are a few applications that use libgs directly though, and these
would have to be treated separately.

> Despite these issues, these programs are still the best way to achieve
> some common image processing goals, so we have to think about how to
> make them safer.
>
> The primary recommendation seems to be setting a restrictive security
> policy in ImageMagick's policy.xml file, as described in the discussions
> linked above.
>
> Currently, Guix doesn't "set up" ImageMagick at all upon installation,
> which is different from some other systems like Debian and Fedora and
> their cousins, where the vulnerabilities are more dire [0]. Our
> ImageMagick package includes the default, unrestricted policy.xml.
>
> But, I'm wondering if anyone is using these tools in production from
> Guix and, if so, how they do it, and if they would like us to ship a
> non-default, more restrictive policy.xml in our package. And if so,
> could they write the policy.xml? :)

I agree that it would be good to provide a policy.xml somehow. On
GuixSD, we could provide it by default for new accounts (as a Shadow
“skeleton”.)

Thanks,
Ludo’.

Re: Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation?

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1521 bytes --]

On Fri, Aug 24, 2018 at 03:04:53PM +0200, Ludovic Courtès wrote:
> In this week’s discussions, it’s unclear to me why people are focusing
> so much on ImageMagick and Evince when the real issue is in
> Ghostscript’s ability to run arbitrary commands from PostScript code.  I
> rarely run ‘convert’ on PS files, but I do run ‘gs’ from different
> sources: gv, Emacs Docview, Evince, ps2pdf, etc.

I think they take for granted that Ghostscript should not handle
untrusted input, so they are looking for ways that it may be invoked by
other applications without the user's explicit consent. And, they are
still picking the "low-hanging fruit" in this search, for example the
thumbnailing thing.

Apparently GNOME containerizes the thumbnailer in some cases with
'bubblewrap', but it requires the system to be set up properly (by us,
for example).

> So I was wondering if we could arrange to provide a wrapper around ‘gs’
> that would run it in a container that can only access its input and
> output files, plus font files from the store.  Now I wonder if I’m too
> naive and if this would in practice require more work.
> 
> Thoughts?

Yeah, that would be interesting. Are there any packages that have
something similar right now?

> I agree that it would be good to provide a policy.xml somehow. On
> GuixSD, we could provide it by default for new accounts (as a Shadow
> “skeleton”.)

Agreed, or at least alter the default copy that comes in the built
package.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation?

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> On Fri, Aug 24, 2018 at 03:04:53PM +0200, Ludovic Courtès wrote:
>> In this week’s discussions, it’s unclear to me why people are focusing
>> so much on ImageMagick and Evince when the real issue is in
>> Ghostscript’s ability to run arbitrary commands from PostScript code.  I
>> rarely run ‘convert’ on PS files, but I do run ‘gs’ from different
>> sources: gv, Emacs Docview, Evince, ps2pdf, etc.
>
> I think they take for granted that Ghostscript should not handle
> untrusted input, so they are looking for ways that it may be invoked by
> other applications without the user's explicit consent. And, they are
> still picking the "low-hanging fruit" in this search, for example the
> thumbnailing thing.
>
> Apparently GNOME containerizes the thumbnailer in some cases with
> 'bubblewrap', but it requires the system to be set up properly (by us,
> for example).

That should work for us too, because AIUI bubblewrap falls back to using
user namespaces when they’re available.  Well, we probably need to at
least add bubblewrap as a dependency to Evince, to being with.

>> So I was wondering if we could arrange to provide a wrapper around ‘gs’
>> that would run it in a container that can only access its input and
>> output files, plus font files from the store.  Now I wonder if I’m too
>> naive and if this would in practice require more work.
>> 
>> Thoughts?
>
> Yeah, that would be interesting. Are there any packages that have
> something similar right now?

No, but we need to start somewhere.  :-)

>> I agree that it would be good to provide a policy.xml somehow. On
>> GuixSD, we could provide it by default for new accounts (as a Shadow
>> “skeleton”.)
>
> Agreed, or at least alter the default copy that comes in the built
> package.

Indeed, we can also do that.

Thanks,
Ludo’.