[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation?
From: |
Ludovic Courtès |
Subject: |
Re: Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation? |
Date: |
Sat, 25 Aug 2018 16:52:12 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Leo Famulari <address@hidden> skribis:
> On Fri, Aug 24, 2018 at 03:04:53PM +0200, Ludovic Courtès wrote:
>> In this week’s discussions, it’s unclear to me why people are focusing
>> so much on ImageMagick and Evince when the real issue is in
>> Ghostscript’s ability to run arbitrary commands from PostScript code. I
>> rarely run ‘convert’ on PS files, but I do run ‘gs’ from different
>> sources: gv, Emacs Docview, Evince, ps2pdf, etc.
>
> I think they take for granted that Ghostscript should not handle
> untrusted input, so they are looking for ways that it may be invoked by
> other applications without the user's explicit consent. And, they are
> still picking the "low-hanging fruit" in this search, for example the
> thumbnailing thing.
>
> Apparently GNOME containerizes the thumbnailer in some cases with
> 'bubblewrap', but it requires the system to be set up properly (by us,
> for example).
That should work for us too, because AIUI bubblewrap falls back to using
user namespaces when they’re available. Well, we probably need to at
least add bubblewrap as a dependency to Evince, to being with.
>> So I was wondering if we could arrange to provide a wrapper around ‘gs’
>> that would run it in a container that can only access its input and
>> output files, plus font files from the store. Now I wonder if I’m too
>> naive and if this would in practice require more work.
>>
>> Thoughts?
>
> Yeah, that would be interesting. Are there any packages that have
> something similar right now?
No, but we need to start somewhere. :-)
>> I agree that it would be good to provide a policy.xml somehow. On
>> GuixSD, we could provide it by default for new accounts (as a Shadow
>> “skeleton”.)
>
> Agreed, or at least alter the default copy that comes in the built
> package.
Indeed, we can also do that.
Thanks,
Ludo’.