Re: Imagemagick policy

To: Thomas Klausner <wiz%gatalith.at@localhost>
Subject: Re: Imagemagick policy
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Thu, 19 Oct 2023 10:46:30 -0400

Thomas Klausner <wiz%gatalith.at@localhost> writes:

> ImageMagick-7.1.1-20/config/policy-limited.xml
>
>   Limited ImageMagick security policy:
>
>   The primary objective of the limited security policy is to find a
>   middle ground between convenience and security. This policy involves the
>   deactivation of potentially hazardous functionalities, like specific coders
>   such as SVG or HTTP. Furthermore, it establishes several constraints on
>   the utilization of resources like memory, storage, and processing duration,
>   all of which are adjustable. This policy proves advantageous in situations
>   where there's a need to mitigate the potential threat of handling possibly
>   malicious or demanding images, all while retaining essential capabilities
>   for prevalent image formats.

I guess the other question is what this really disables and why.  It
feels like upstream saying that some of their decoders are going to be
exploitable and that's just known.

What's the issue with SVG?

It also seems like there are problems with "indirect reads".

References:
- Imagemagick policy
  - From: Thomas Klausner

Prev by Date: Re: Imagemagick policy
Next by Date: Re: Imagemagick policy
Previous by Thread: Re: Imagemagick policy
Next by Thread: Re: Imagemagick policy
Indexes:

Home | Main Index | Thread Index | Old Index