thanks for your answer. My expectations was that flaws are fixed in code and it's not necessary to block filetypes. Unfortunately in hosting/webapplications/shops ImageMagick+Ghostscript are widely used in Standardsoftware. Minutes after Updating some Servers we had reports about failing conversions.
We use apparmor-profiles to protect our internal structure. User itself is only able to read some needed paths and write to his own home. So this risk should be ok for us unless there is an exploit to gain root privileges. If i understand Tavis Ormandy's statement the right way, more flaws are highly probable.
Hello Seth,
thanks for your answer. My expectations was that flaws are fixed in code and it's not necessary to block filetypes. Unfortunately in hosting/ webapplications /shops ImageMagick+ Ghostscript are widely used in Standardsoftware. Minutes after Updating some Servers we had reports about failing conversions.
We use apparmor-profiles to protect our internal structure. User itself is only able to read some needed paths and write to his own home. So this risk should be ok for us unless there is an exploit to gain root privileges. If i understand Tavis Ormandy's statement the right way, more flaws are highly probable.
Thanks,
Hajo