On Tue, Jul 18, 2017 at 06:15:20PM +0000, Daniel Abrecht wrote:
> Since thumbnails have to be generated somehow, they need some kind of
> generator. To use plugins, which are resembled by executables in this
> case, is a perfectly fine approach for this.

Uhm, but why? I can understand a thumbnail for an image file: it may be
useful to see what's inside without having to open it. But there's a limit
to thumbnailing. If it's an .exe, give it an icon that says "EXE" (or a
broken four-panelled window image), and that's it.

> The real problem is that despite it's well known that thumbnail
> generators have a really big attack surface, nothing has been done to
> limit the impact of vulnerabilities in thumbnail generators.
[...]
> My guess on why noone actually does this is because it would break any
> existing thumbnailer and programs like imagemagic couldn't be used for
> thumbnail generation anymore.

Actually, imagemagick is one of worst offenders here. The version in Jessie
is at deb8u9, and every security update tends to mention ~20 CVEs.

--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ A dumb species has no way to open a tuna can.
⢿⡄⠘⠷⠚⠋⠀ A smart species invents a can opener.
⠈⠳⣄⠀⠀⠀⠀ A master species delegates.