Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] imagemagick: disable ghostscript vector formats #45457

Closed
wants to merge 1 commit into from
Closed

[WIP] imagemagick: disable ghostscript vector formats #45457

wants to merge 1 commit into from

Conversation

markuskowa
Copy link
Member

Motivation for this change

Prevent a wecurity hole in ghostscript to be abused.
See https://www.kb.cert.org/vuls/id/332928 for more details

Things done
  • Patch for policy.xml disallowing conversion of PS/EPS/PDF/XPS files
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@markuskowa markuskowa mentioned this pull request Aug 22, 2018
Closed
@7c6f434c
Copy link
Member

Are such settings overridable in the runtime in case of trusted Postscript file source (as in: verified MetaPost script) or reasonable isolation measures (as in: container-like isolation with no network access and no write access outside tmpfs)?

@markuskowa
Copy link
Member Author

The policy is in $out/etc/ImageMagick-6/policy.xml. Not sure how to override this at runtime.
Sandboxing ghostscript sounds like a better solution. That would catch all other programs accessing gs too.

@markuskowa markuskowa changed the title imagemagick: disable ghostscript vector formats [WIP] imagemagick: disable ghostscript vector formats Aug 22, 2018
@7c6f434c
Copy link
Member

Well, I normally sandbox the entire program anyway, because who can trust a PDF viewer to be correct on files not created in a control way. Sandboxing just Ghostscript sounds like a nice plan, but it does seem that, for example, GIMP uses libgs.so, not the command-line gs.

@markuskowa
Copy link
Member Author

for example, GIMP uses libgs.so

OK, this makes it a bigger problem.
The quick work around for imagemagick could also be generating two derivations. One would then be called *-trusted and has the policy patch disabled.

@7c6f434c
Copy link
Member

As far as I understand it, the only imagemagick that includes ghostscript is imagemagickBig, and the only difference from the default version is the inclusion of Ghostscript.

Maybe the correct solution for Nixpkgs is to mark ghostscript vulnerable?

@markuskowa
Copy link
Member Author

Should we just close this PR in favor of a more complete "ghostscript sandbox" solution?

@7c6f434c
Copy link
Member

Not sure about feasibility of Ghostscript sandboxing with libgs, but I do think that with Nix dependency model the change in this PR is not very useful in practice.

@markuskowa
Copy link
Member Author

Closing in favor of #46047

@markuskowa markuskowa closed this Sep 4, 2018
@markuskowa markuskowa deleted the gs-fix branch November 7, 2018 19:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 11-100 10.rebuild-linux: 101-500
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@markuskowa @7c6f434c @vcunat @GrahamcOfBorg