:: Re: [DNG] VBScript Injection via GN…
Góra strony
Delete this message
Reply to this message
Autor: Olaf Meeuwissen
Data:  
Dla: Adam Borowski
CC: dng
Temat: Re: [DNG] VBScript Injection via GNOME Thumbnailer
Hi,

Adam Borowski writes:

> On Wed, Jul 19, 2017 at 08:28:25PM +0900, Olaf Meeuwissen wrote:
>> Adam Borowski writes:
>> > On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote:
>> >> Actually, imagemagick is one of worst offenders here. The version in Jessie
>> >> is at deb8u9, and every security update tends to mention ~20 CVEs.
>> >
>> > ... aaaand, just hours later, here comes deb8u10:
>> >
>> > # Package        : imagemagick
>> > # CVE ID         : CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501
>> > #                  CVE-2017-10928 CVE-2017-11141 CVE-2017-11170
>> > #                  CVE-2017-11360 CVE-2017-11188
>> > # Debian Bug     : 863126 867367 867778 867721 864273 864274 867806 868264
>> > #                  868184 867810 867808 867811 867812 867896 867798 867821
>> > #                  867824 867825 867826 867893 867823 867894 867897

>>
>> Totally untested, but you might try to replace imagemagick with
>> graphicsmagick. It's at deb8u ;-)


My bad, graphicsmagick is at deb8u2. Are the security conscious just
picking on imagemagick or graphicsmagick is less susceptible? Dunno.

> It's a fork, so it suffers from same vulnerabilities as imagemagick. It
> might get better only after someone rewrites everything from scratch (in
> which case there'll be a whole new set of bugs).


Devuan is a fork of Debian. I think we both agree that the former
suffers at least one problem less than the latter ;-)

By the same or at least a very similar token, I would hope that perhaps
graphicsmagick suffers from a few less vulnerabilities than imagemagick.
True, I have no hard data to back that up. It was just a suggestion.

I've used the CLI and library C/C++ APIs of both in the past, and
through that have developed a better opinion of graphicsmagick. It was
forked 15(!) years ago. ImageMagick has had a reputation of willy-nilly
changing CLI and library APIs as well as image processing results
between versions. GraphicsMagick has on the whole been a lot more
stable in that respect so I would *guess* that its developers have been
able to shake out most vulnerabilities over the years without
introducing many new ones.

Just a thought,
--
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
  Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join