Comment 9 for bug 1793485

Seth Arnold (seth-arnold) wrote :

Hello Hajo,

Tavis Ormandy has recently discovered enough flaws in ghostscript that the general consensus in the security community is that it is not safe to allow ghostscript to process untrusted inputs. See for example:

    I think we should encourage switching to other document
    formats that we have a better handle on securing. If you
    do need untrusted ps, I think treating it the same as
    shell script file you downloaded from the internet.

https://www.openwall.com/lists/oss-security/2018/10/09/6

ImageMagick is a well-known and widely-available attack vector.

Whoever would wish to use ImageMagick on untrusted inputs should prepare an AppArmor profile (or SELinux/SMACK/TOMOYO policy) to reflect their expected usage to restrict how much damage can be done, and modify the policy.xml file to explicitly allow using ghostscript through ImageMagick: https://imagemagick.org/script/security-policy.php

We debated if this was a change we wanted to make because we knew that it would inconvenience some of our users. However, we feel that someone who needs these tools should know the full risks of these tools and thus be able to mitigate the risks as appropriate in their own environment.

Thanks