tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Imagemagick policy
Am Thu, 19 Oct 2023 12:54:12 -0500
schrieb Tim Zingelman <tez%netbsd.org@localhost>:
> I'm a security person, so I really do not agree with insecure-by-default,
> even if it is the upstream policy/opinion.
Well, in this case it is less a matter of configuration than a matter
of offering advertised functionality to the users or not. I consider
pkgsrc as a method to deliver userspace software also for desktop
(interactive shell) usage. So I compare it to what Debian/Ubuntu did
with the policy. They opted for more 'secure' default, beginning with
<policy domain="resource" name="memory" value="256MiB"/>
They limit the memory the user is able to consume with image processing
operations to a mere 1/4 GiB. This may be sensible for web forum image
uploads that are converted on a server, but is am arbitrary limitation
for a photographer wanting to batch-process images on the workstation.
We could discuss those:
<policy domain="delegate" rights="none" pattern="HTTPS" />
<policy domain="delegate" rights="none" pattern="HTTPS" />
I don't consider automatic network access as an expected default
feature for working with your local images. I consider it an
anti-feature that an image file conversion tool even has network code
in it (you can script wget or curl with it!). That's my opinion … maybe
you agree from the security angle, though;-)
> The patch we have was added by the pkgsrc security team to address a
> published issue.
> Please don't use the open config as default.
I at least plea for usign a config that does this:
<policy domain="coder" rights="write" pattern="PS" />
<policy domain="coder" rights="write" pattern="PS2" />
<policy domain="coder" rights="write" pattern="PS3" />
<policy domain="coder" rights="write" pattern="EPS" />
<policy domain="coder" rights="write" pattern="PDF" />
<policy domain="coder" rights="write" pattern="XPS" />
instead of this
<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="PS2" />
<policy domain="coder" rights="none" pattern="PS3" />
<policy domain="coder" rights="none" pattern="EPS" />
<policy domain="coder" rights="none" pattern="PDF" />
<policy domain="coder" rights="none" pattern="XPS" />
(some current coders might be missing, point still applies)
The published issue (an older one than cve-2023-36664, I presume) for
sure was about PS/PDF input files being dangerous because of
ghostscript sandboxing failures. People threw out the baby with the
bathwater with disabling respective coders altogether. You can still
discuss that _any_ image format parser is dangerous with untrustet
input (I faintly remember some nice browser-exploitable JPEG issue).
Are you aware of any security issue with _producing_ PS/PDF output from
ImageMagick instead of parsing untrusted input, which needs security
considerations independent of the format? Being able to convert a
bitmap image to PDF is kinda useful sometimes.
Better: A sane level of paranoia would just not install ghostscript at
all on a concerned system. If your server doesn't need printing, you
likely could just install ImageMagick without ghostscript being present
and can be safe from respective vulnerabilities. I prefer not having
code available to having it disabled by configuration.
If a user installs ghostscript with pkgsrc, I'd imagine the user
intending to use it, which the 'secure' policy forbids. It's denial of
service.
> ImageMagick is installed as a dependency for other packages too, including
> several that are clearly intended to be network services.
Sure. But it is also a primary tool for command-line image conversion
operations on desktop systems. You don't see the users calling the
binary in their scripts showing up as dependency in pkgsrc.
Someone running a web server probably should enable the websafe config,
even, not just the secure one. And they should fix their web
application.
> Maybe I am not the typical pkgsrc user, but I don't think I have ever
> installed it on a single user machine.
Who's typical around here? I use it for processing photographs, among
others. I used to prefer netpbm, more unixy, but the ImageMagick
`convert` tool is too convenient too often …
Alrighty then,
Thomas
PS: Maybe I should re-investigate alternatives with less kitchen-sink
features … for simple rescaling and recompression of web uploads netpbm
seems to be a better choice for web server admins, anyway.
--
Dr. Thomas Orgis
HPC @ Universität Hamburg
Home |
Main Index |
Thread Index |
Old Index