On 2017-07-18 20:07, Adam Borowski wrote:
> On Tue, Jul 18, 2017 at 06:15:20PM +0000, Daniel Abrecht wrote:
>> Since thumbnails have to be generated somehow, they need some kind of
>> generator. To use plugins, which are resembled by executables in this
>> case, is a perfectly fine approach for this.
>
> Uhm, but why? I can understand a thumbnail for an image file: it may be
> useful to see what's inside without having to open it. But there's a limit
> to thumbnailing. If it's an .exe, give it an icon that says "EXE" (or a
> broken four-panelled window image), and that's it.

It isn't possible to predict every image/file type a user may have to
deal with, therefore others need a way to add support for not per
default supported file formats. Additionally, if a developer writes a
program, a 3D game for example, and it uses a custom file format, for a
game level for example, said developer may want to add thumbnails to
those files. A plugin system allows for this, and it enables the
developer to choose to include a thumbnailer, it leaves the choice to
include the thumbnailer in a package to it's package maintainer, and it
allows the user to install or remove the thumbnailer. If there is no
thumbnailer, a default icon for the file is used. At any point, anyone
can decide if they want generated thumbnails for certain file types or not.

That said, I don't see a reason to not provide a way to display
thumbnails for exotic file types. I don't even see a problem in
generating thumbnails for exe files. Most exe fils are just like some
archive file containing some icon files, so whats wrong with someone
providing a thumbnailer extracting those icons? Why should that be any
more dangerous than generating thumbnails for any kind of image? There
is no reason any thumbnail generator couldn't have any bugs, therefore
it would make the most sense to prevent bugs in thumbnailers to have any
security impact.

>> The real problem is that despite it's well known that thumbnail
>> generators have a really big attack surface, nothing has been done to
>> limit the impact of vulnerabilities in thumbnail generators.
> [...]
>> My guess on why noone actually does this is because it would break any
>> existing thumbnailer and programs like imagemagic couldn't be used for
>> thumbnail generation anymore.
>
> Actually, imagemagick is one of worst offenders here. The version in Jessie
> is at deb8u9, and every security update tends to mention ~20 CVEs.

Yes, I know. I didn't mean to imply that keeping existing thumbnail
generators or using imagemagick for thumbnail generation is a good
thing. I just tried to reason why thumbnails may still be generated in
an insecure manner. If I had the choice between keeping every desktop
system insecure forever or breaking every thumbnailer ever created, I
would always choose the later. However, I don't think that's an option
for gnome or KDE.


Daniel Abrecht