Since thumbnails have to be generated somehow, they need some kind of
generator. To use plugins, which are resembled by executables in this
case, is a perfectly fine approach for this.

The real problem is that despite it's well known that thumbnail
generators have a really big attack surface, nothing has been done to
limit the impact of vulnerabilities in thumbnail generators.

An easy approach for safe thumbnail generators would be to enforce
secomp before the plugin for thumbnail generation is loaded/executed.
This would allow to prevent a thumbnail generator to do anything but
reading from the file which needs a thumbnail, writing to the thumbnail
file/memory, and maybe some memory allocations, which could be further
restricted using rlimits.

My guess on why noone actually does this is because it would break any
existing thumbnailer and programs like imagemagic couldn't be used for
thumbnail generation anymore.


Daniel Abrecht