Since thumbnails have to be generated somehow, they need some kind of generator. To use plugins, which are resembled by executables in this case, is a perfectly fine approach for this.
The real problem is that despite it's well known that thumbnail generators have a really big attack surface, nothing has been done to limit the impact of vulnerabilities in thumbnail generators. An easy approach for safe thumbnail generators would be to enforce secomp before the plugin for thumbnail generation is loaded/executed. This would allow to prevent a thumbnail generator to do anything but reading from the file which needs a thumbnail, writing to the thumbnail file/memory, and maybe some memory allocations, which could be further restricted using rlimits. My guess on why noone actually does this is because it would break any existing thumbnailer and programs like imagemagic couldn't be used for thumbnail generation anymore. Daniel Abrecht
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
