[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation?
|
From: |
Leo Famulari |
|
Subject: |
Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation? |
|
Date: |
Thu, 23 Aug 2018 17:04:45 -0400 |
|
User-agent: |
Mutt/1.10.1 (2018-07-13) |
For the last couple years, people have been finding exploitable bugs in
the image processing system based on Ghostscript and ImageMagick /
GraphicsMagick:
http://seclists.org/oss-sec/2018/q3/142
http://seclists.org/oss-sec/2016/q4/29
Despite these issues, these programs are still the best way to achieve
some common image processing goals, so we have to think about how to
make them safer.
The primary recommendation seems to be setting a restrictive security
policy in ImageMagick's policy.xml file, as described in the discussions
linked above.
Currently, Guix doesn't "set up" ImageMagick at all upon installation,
which is different from some other systems like Debian and Fedora and
their cousins, where the vulnerabilities are more dire [0]. Our
ImageMagick package includes the default, unrestricted policy.xml.
But, I'm wondering if anyone is using these tools in production from
Guix and, if so, how they do it, and if they would like us to ship a
non-default, more restrictive policy.xml in our package. And if so,
could they write the policy.xml? :)
[0] https://bugs.gnu.org/32515
signature.asc
Description: PGP signature
- Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation?,
Leo Famulari <=