Imagemagick policy

To: tech-pkg%NetBSD.org@localhost
Subject: Imagemagick policy
From: Thomas Klausner <wiz%gatalith.at@localhost>
Date: Thu, 19 Oct 2023 15:28:48 +0200

Hi!

I looked at updating ImageMagick, and the latest now delivers four
default policy files. They are described in comments inside:

ImageMagick-7.1.1-20/config/policy-limited.xml

  Limited ImageMagick security policy:

  The primary objective of the limited security policy is to find a
  middle ground between convenience and security. This policy involves the
  deactivation of potentially hazardous functionalities, like specific coders
  such as SVG or HTTP. Furthermore, it establishes several constraints on
  the utilization of resources like memory, storage, and processing duration,
  all of which are adjustable. This policy proves advantageous in situations
  where there's a need to mitigate the potential threat of handling possibly
  malicious or demanding images, all while retaining essential capabilities
  for prevalent image formats.

ImageMagick-7.1.1-20/config/policy-open.xml

  Open ImageMagick security policy:

  The default policy for ImageMagick installations is the open security
  policy. This policy is designed for usage in secure settings like those
  protected by firewalls or within Docker containers. Within this framework,
  ImageMagick enjoys broad access to resources and functionalities. This policy
  provides convenient and adaptable options for image manipulation. However,
  it's important to note that it might present security vulnerabilities in
  less regulated conditions. Thus, organizations should thoroughly assess
  the appropriateness of the open policy according to their particular use
  case and security prerequisites.

ImageMagick-7.1.1-20/config/policy-secure.xml

  Secure ImageMagick security policy:

  This stringent security policy prioritizes the implementation of
  rigorous controls and restricted resource utilization to establish a
  profoundly secure setting while employing ImageMagick. It deactivates
  conceivably hazardous functionalities, including specific coders like
  SVG or HTTP. The policy promotes the tailoring of security measures to
  harmonize with the requirements of the local environment and the guidelines
  of the organization. This protocol encompasses explicit particulars like
  limitations on memory consumption, sanctioned pathways for reading and
  writing, confines on image sequences, the utmost permissible duration of
  workflows, allocation of disk space intended for image data, and even an
  undisclosed passphrase for remote connections. By adopting this robust
  policy, entities can elevate their overall security stance and alleviate
  potential vulnerabilities.

ImageMagick-7.1.1-20/config/policy-websafe.xml

  Web-safe ImageMagick security policy:

  This security protocol designed for web-safe usage focuses on situations
  where ImageMagick is applied in publicly accessible contexts, like websites.
  It deactivates the capability to read from or write to any image formats
  other than web-safe formats like GIF, JPEG, and PNG. Additionally, this
  policy prohibits the execution of image filters and indirect reads, thereby
  thwarting potential security breaches. By implementing these limitations,
  the web-safe policy fortifies the safeguarding of systems accessible to
  the public, reducing the risk of exploiting ImageMagick's capabilities
  for potential attacks.


Before that release, we had (still have) a pkgsrc patch for the one
policy:

+  <!--
+    -- Disable ghostscript decoders as suggested by VU#332928
+    --  <https://www.kb.cert.org/vuls/id/332928>
+    -->
+  <policy domain="coder" rights="write" pattern="PS" />
+  <policy domain="coder" rights="write" pattern="PS2" />
+  <policy domain="coder" rights="write" pattern="PS3" />
+  <policy domain="coder" rights="write" pattern="EPS" />
+  <policy domain="coder" rights="write" pattern="PDF" />
+  <policy domain="coder" rights="write" pattern="XPS" />
+
+  <!-- Recommended policies from <https://imagetragick.com/> -->
+  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
+  <policy domain="coder" rights="none" pattern="URL" />
+  <policy domain="coder" rights="none" pattern="HTTPS" />
+  <!-- breaks deforaos-icon-theme package -->
+  <!--<policy domain="coder" rights="none" pattern="MVG" />-->
+  <policy domain="coder" rights="none" pattern="MSL" />
+  <policy domain="coder" rights="none" pattern="TEXT" />
+  <policy domain="coder" rights="none" pattern="SHOW" />
+  <policy domain="coder" rights="none" pattern="WIN" />
+  <policy domain="coder" rights="none" pattern="PLT" />

I think since ImageMagick now delivers four to choose from, admins can
easily deploy the one the want, and we should switch back to the
default (in this case, open) policy to match what upstream provides.

Opinions?
 Thomas

Follow-Ups:
- Re: Imagemagick policy
  - From: Thomas Klausner
- Re: Imagemagick policy
  - From: Greg Troxel
- Re: Imagemagick policy
  - From: Greg Troxel
- Re: Imagemagick policy
  - From: Dr. Thomas Orgis

Prev by Date: Re: Overhauling gcc.mk
Next by Date: Re: Imagemagick policy
Previous by Thread: Overhauling gcc.mk
Next by Thread: Re: Imagemagick policy
Indexes:

Home | Main Index | Thread Index | Old Index