For the last couple years, people have been finding exploitable bugs in the image processing system based on Ghostscript and ImageMagick / GraphicsMagick:
http://seclists.org/oss-sec/2018/q3/142 http://seclists.org/oss-sec/2016/q4/29 Despite these issues, these programs are still the best way to achieve some common image processing goals, so we have to think about how to make them safer. The primary recommendation seems to be setting a restrictive security policy in ImageMagick's policy.xml file, as described in the discussions linked above. Currently, Guix doesn't "set up" ImageMagick at all upon installation, which is different from some other systems like Debian and Fedora and their cousins, where the vulnerabilities are more dire [0]. Our ImageMagick package includes the default, unrestricted policy.xml. But, I'm wondering if anyone is using these tools in production from Guix and, if so, how they do it, and if they would like us to ship a non-default, more restrictive policy.xml in our package. And if so, could they write the policy.xml? :) [0] https://bugs.gnu.org/32515
signature.asc
Description: PGP signature
