tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Imagemagick policy
Hi!
In my eyes, the discussion did not lead to a clear decision.
I've implemented four options for the package:
Exactly one of the following policy options is required:
imagemagick-policy-limited By default, use ImageMagick's "Limited" security policy.
imagemagick-policy-open By default, use ImageMagick's "Open" security policy.
imagemagick-policy-secure By default, use ImageMagick's "Secure" security policy.
imagemagick-policy-websafe By default, use ImageMagick's "Web-safe" security policy.
This way, you can easily decide which policy you want for your environment.
I've followed upstream for the default ("Open").
Even with a binary package built with a different option, you can
easily change your mind - just copy the appropriate policy-*.xml file
from the example directory to ${PREFIX}/etc/ImageMagick-7/policy.xml
Cheers,
Thomas
On Thu, Oct 19, 2023 at 03:28:48PM +0200, Thomas Klausner wrote:
> Hi!
>
> I looked at updating ImageMagick, and the latest now delivers four
> default policy files. They are described in comments inside:
>
> ImageMagick-7.1.1-20/config/policy-limited.xml
>
> Limited ImageMagick security policy:
>
> The primary objective of the limited security policy is to find a
> middle ground between convenience and security. This policy involves the
> deactivation of potentially hazardous functionalities, like specific coders
> such as SVG or HTTP. Furthermore, it establishes several constraints on
> the utilization of resources like memory, storage, and processing duration,
> all of which are adjustable. This policy proves advantageous in situations
> where there's a need to mitigate the potential threat of handling possibly
> malicious or demanding images, all while retaining essential capabilities
> for prevalent image formats.
>
> ImageMagick-7.1.1-20/config/policy-open.xml
>
> Open ImageMagick security policy:
>
> The default policy for ImageMagick installations is the open security
> policy. This policy is designed for usage in secure settings like those
> protected by firewalls or within Docker containers. Within this framework,
> ImageMagick enjoys broad access to resources and functionalities. This policy
> provides convenient and adaptable options for image manipulation. However,
> it's important to note that it might present security vulnerabilities in
> less regulated conditions. Thus, organizations should thoroughly assess
> the appropriateness of the open policy according to their particular use
> case and security prerequisites.
>
> ImageMagick-7.1.1-20/config/policy-secure.xml
>
> Secure ImageMagick security policy:
>
> This stringent security policy prioritizes the implementation of
> rigorous controls and restricted resource utilization to establish a
> profoundly secure setting while employing ImageMagick. It deactivates
> conceivably hazardous functionalities, including specific coders like
> SVG or HTTP. The policy promotes the tailoring of security measures to
> harmonize with the requirements of the local environment and the guidelines
> of the organization. This protocol encompasses explicit particulars like
> limitations on memory consumption, sanctioned pathways for reading and
> writing, confines on image sequences, the utmost permissible duration of
> workflows, allocation of disk space intended for image data, and even an
> undisclosed passphrase for remote connections. By adopting this robust
> policy, entities can elevate their overall security stance and alleviate
> potential vulnerabilities.
>
> ImageMagick-7.1.1-20/config/policy-websafe.xml
>
> Web-safe ImageMagick security policy:
>
> This security protocol designed for web-safe usage focuses on situations
> where ImageMagick is applied in publicly accessible contexts, like websites.
> It deactivates the capability to read from or write to any image formats
> other than web-safe formats like GIF, JPEG, and PNG. Additionally, this
> policy prohibits the execution of image filters and indirect reads, thereby
> thwarting potential security breaches. By implementing these limitations,
> the web-safe policy fortifies the safeguarding of systems accessible to
> the public, reducing the risk of exploiting ImageMagick's capabilities
> for potential attacks.
>
>
> Before that release, we had (still have) a pkgsrc patch for the one
> policy:
>
> + <!--
> + -- Disable ghostscript decoders as suggested by VU#332928
> + -- <https://www.kb.cert.org/vuls/id/332928>
> + -->
> + <policy domain="coder" rights="write" pattern="PS" />
> + <policy domain="coder" rights="write" pattern="PS2" />
> + <policy domain="coder" rights="write" pattern="PS3" />
> + <policy domain="coder" rights="write" pattern="EPS" />
> + <policy domain="coder" rights="write" pattern="PDF" />
> + <policy domain="coder" rights="write" pattern="XPS" />
> +
> + <!-- Recommended policies from <https://imagetragick.com/> -->
> + <policy domain="coder" rights="none" pattern="EPHEMERAL" />
> + <policy domain="coder" rights="none" pattern="URL" />
> + <policy domain="coder" rights="none" pattern="HTTPS" />
> + <!-- breaks deforaos-icon-theme package -->
> + <!--<policy domain="coder" rights="none" pattern="MVG" />-->
> + <policy domain="coder" rights="none" pattern="MSL" />
> + <policy domain="coder" rights="none" pattern="TEXT" />
> + <policy domain="coder" rights="none" pattern="SHOW" />
> + <policy domain="coder" rights="none" pattern="WIN" />
> + <policy domain="coder" rights="none" pattern="PLT" />
>
> I think since ImageMagick now delivers four to choose from, admins can
> easily deploy the one the want, and we should switch back to the
> default (in this case, open) policy to match what upstream provides.
>
> Opinions?
> Thomas
Home |
Main Index |
Thread Index |
Old Index