tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Imagemagick policy
Thomas Klausner <wiz%gatalith.at@localhost> writes:
> ImageMagick-7.1.1-20/config/policy-limited.xml
>
> Limited ImageMagick security policy:
>
> The primary objective of the limited security policy is to find a
> middle ground between convenience and security. This policy involves the
> deactivation of potentially hazardous functionalities, like specific coders
> such as SVG or HTTP. Furthermore, it establishes several constraints on
> the utilization of resources like memory, storage, and processing duration,
> all of which are adjustable. This policy proves advantageous in situations
> where there's a need to mitigate the potential threat of handling possibly
> malicious or demanding images, all while retaining essential capabilities
> for prevalent image formats.
I guess the other question is what this really disables and why. It
feels like upstream saying that some of their decoders are going to be
exploitable and that's just known.
What's the issue with SVG?
It also seems like there are problems with "indirect reads".
Home |
Main Index |
Thread Index |
Old Index