Re: Imagemagick policy

To: Tim Zingelman <tez%netbsd.org@localhost>
Subject: Re: Imagemagick policy
From: "Dr. Thomas Orgis" <thomas.orgis%uni-hamburg.de@localhost>
Date: Fri, 20 Oct 2023 13:39:13 +0200

Am Thu, 19 Oct 2023 12:54:12 -0500
schrieb Tim Zingelman <tez%netbsd.org@localhost>:

> I'm a security person, so I really do not agree with insecure-by-default,
> even if it is the upstream policy/opinion.

Well, in this case it is less a matter of configuration than a matter
of offering advertised functionality to the users or not. I consider
pkgsrc as a method to deliver userspace software also for desktop
(interactive shell) usage. So I compare it to what Debian/Ubuntu did
with the policy. They opted for more 'secure' default, beginning with

<policy domain="resource" name="memory" value="256MiB"/>

They limit the memory the user is able to consume with image processing
operations to a mere 1/4 GiB. This may be sensible for web forum image
uploads that are converted on a server, but is am arbitrary limitation
for a photographer wanting to batch-process images on the workstation.

We could discuss those:

<policy domain="delegate" rights="none" pattern="HTTPS" />
<policy domain="delegate" rights="none" pattern="HTTPS" />

I don't consider automatic network access as an expected default
feature for working with your local images. I consider it an
anti-feature that an image file conversion tool even has network code
in it (you can script wget or curl with it!). That's my opinion … maybe
you agree from the security angle, though;-)

> The patch we have was added by the pkgsrc security team to address a
> published issue.
> Please don't use the open config as default.

I at least plea for usign a config that does this:

  <policy domain="coder" rights="write" pattern="PS" />
  <policy domain="coder" rights="write" pattern="PS2" />
  <policy domain="coder" rights="write" pattern="PS3" />
  <policy domain="coder" rights="write" pattern="EPS" />
  <policy domain="coder" rights="write" pattern="PDF" />
  <policy domain="coder" rights="write" pattern="XPS" />

instead of this

  <policy domain="coder" rights="none" pattern="PS" />
  <policy domain="coder" rights="none" pattern="PS2" />
  <policy domain="coder" rights="none" pattern="PS3" />
  <policy domain="coder" rights="none" pattern="EPS" />
  <policy domain="coder" rights="none" pattern="PDF" />
  <policy domain="coder" rights="none" pattern="XPS" />

(some current coders might be missing, point still applies)

The published issue (an older one than cve-2023-36664, I presume) for
sure was about PS/PDF input files being dangerous because of
ghostscript sandboxing failures. People threw out the baby with the
bathwater with disabling respective coders altogether. You can still
discuss that _any_ image format parser is dangerous with untrustet
input (I faintly remember some nice browser-exploitable JPEG issue).

Are you aware of any security issue with _producing_ PS/PDF output from
ImageMagick instead of parsing untrusted input, which needs security
considerations independent of the format? Being able to convert a
bitmap image to PDF is kinda useful sometimes.

Better: A sane level of paranoia would just not install ghostscript at
all on a concerned system. If your server doesn't need printing, you
likely could just install ImageMagick without ghostscript being present
and can be safe from respective vulnerabilities. I prefer not having
code available to having it disabled by configuration.

If a user installs ghostscript with pkgsrc, I'd imagine the user
intending to use it, which the 'secure' policy forbids. It's denial of
service.

> ImageMagick is installed as a dependency for other packages too, including
> several that are clearly intended to be network services.

Sure. But it is also a primary tool for command-line image conversion
operations on desktop systems. You don't see the users calling the
binary in their scripts showing up as dependency in pkgsrc.

Someone running a web server probably should enable the websafe config,
even, not just the secure one. And they should fix their web
application.

> Maybe I am not the typical pkgsrc user, but I don't think I have ever
> installed it on a single user machine.

Who's typical around here? I use it for processing photographs, among
others. I used to prefer netpbm, more unixy, but the ImageMagick
`convert` tool is too convenient too often …


Alrighty then,

Thomas

PS: Maybe I should re-investigate alternatives with less kitchen-sink
features … for simple rescaling and recompression of web uploads netpbm
seems to be a better choice for web server admins, anyway.

-- 
Dr. Thomas Orgis
HPC @ Universität Hamburg

References:
- Imagemagick policy
  - From: Thomas Klausner
- Re: Imagemagick policy
  - From: Greg Troxel
- Re: Imagemagick policy
  - From: Thomas Klausner
- Re: Imagemagick policy
  - From: Tim Zingelman

Prev by Date: daily pkgsrc CVS update output
Next by Date: daily pkgsrc CVS update output
Previous by Thread: Re: Imagemagick policy
Next by Thread: Re: Imagemagick policy
Indexes:

Home | Main Index | Thread Index | Old Index