Re: Ghostscript / ImageMagick / GraphicsMagick vulnerability mitigation?

[Ludovic Courtès]

Leo Famulari <address@hidden> skribis:

> On Fri, Aug 24, 2018 at 03:04:53PM +0200, Ludovic Courtès wrote:
>> In this week’s discussions, it’s unclear to me why people are focusing
>> so much on ImageMagick and Evince when the real issue is in
>> Ghostscript’s ability to run arbitrary commands from PostScript code.  I
>> rarely run ‘convert’ on PS files, but I do run ‘gs’ from different
>> sources: gv, Emacs Docview, Evince, ps2pdf, etc.
>
> I think they take for granted that Ghostscript should not handle
> untrusted input, so they are looking for ways that it may be invoked by
> other applications without the user's explicit consent. And, they are
> still picking the "low-hanging fruit" in this search, for example the
> thumbnailing thing.
>
> Apparently GNOME containerizes the thumbnailer in some cases with
> 'bubblewrap', but it requires the system to be set up properly (by us,
> for example).

That should work for us too, because AIUI bubblewrap falls back to using
user namespaces when they’re available.  Well, we probably need to at
least add bubblewrap as a dependency to Evince, to being with.

>> So I was wondering if we could arrange to provide a wrapper around ‘gs’
>> that would run it in a container that can only access its input and
>> output files, plus font files from the store.  Now I wonder if I’m too
>> naive and if this would in practice require more work.
>> 
>> Thoughts?
>
> Yeah, that would be interesting. Are there any packages that have
> something similar right now?

No, but we need to start somewhere.  :-)

>> I agree that it would be good to provide a policy.xml somehow. On
>> GuixSD, we could provide it by default for new accounts (as a Shadow
>> “skeleton”.)
>
> Agreed, or at least alter the default copy that comes in the built
> package.

Indeed, we can also do that.

Thanks,
Ludo’.