Re: Imagemagick policy

["Dr. Thomas Orgis" <thomas.orgis%uni-hamburg.de@localhost>]

Am Thu, 19 Oct 2023 10:44:11 -0400
schrieb Greg Troxel <gdt%lexort.com@localhost>:

> The Open policy description does not really make sense.  It says it is
> ok to use in systems with firewalls or in Docker containers.

My issue is that they mainly see the deployment of ImageMagick on
webservers where it processes images that people upload in web forms
etc. That's the security focus of exploits for sure.

This means _decoding_ of PDF/PS is dangerous as it invokes ghostscript,
which had a number of prominent security issues in interpreting these
complex (turing complete?) file formats/page description languages.

IM want to look sensible with web servers as focus.

> It seems semi-obvious to me that we should choose Limited as a default;
> this is stated to be a middle ground, not too scary, not so far into
> security-first that you can't do anything.

What is the target audience of pkgsrc? I am thinking mostly about
end-user scripts and data, not web uploads. If you deploy your web
servers (hence the talk about containers and firewalls, supposedly
limiting access and impact of outside actors) using pkgsrc, the limited
config makes sense as default, but more so does configuring your web
application to allow only certain types of files or not process them at
all in unprotected contexts (like, running ImageMagick not as the
priviledged web server user, doh).

The stricter configs disable functionality for all users to protect web
admins that don't think about upload policies and safe processing of
untrusted input files on their servers.


Alrighty then,

Thomas

-- 
Dr. Thomas Orgis
HPC @ Universität Hamburg