On 2017-07-18 20:07, Adam Borowski wrote: > On Tue, Jul 18, 2017 at 06:15:20PM +0000, Daniel Abrecht wrote: >> Since thumbnails have to be generated somehow, they need some kind of >> generator. To use plugins, which are resembled by executables in this >> case, is a perfectly fine approach for this. > > Uhm, but why? I can understand a thumbnail for an image file: it may be > useful to see what's inside without having to open it. But there's a limit > to thumbnailing. If it's an .exe, give it an icon that says "EXE" (or a > broken four-panelled window image), and that's it.
It isn't possible to predict every image/file type a user may have to deal with, therefore others need a way to add support for not per default supported file formats. Additionally, if a developer writes a program, a 3D game for example, and it uses a custom file format, for a game level for example, said developer may want to add thumbnails to those files. A plugin system allows for this, and it enables the developer to choose to include a thumbnailer, it leaves the choice to include the thumbnailer in a package to it's package maintainer, and it allows the user to install or remove the thumbnailer. If there is no thumbnailer, a default icon for the file is used. At any point, anyone can decide if they want generated thumbnails for certain file types or not. That said, I don't see a reason to not provide a way to display thumbnails for exotic file types. I don't even see a problem in generating thumbnails for exe files. Most exe fils are just like some archive file containing some icon files, so whats wrong with someone providing a thumbnailer extracting those icons? Why should that be any more dangerous than generating thumbnails for any kind of image? There is no reason any thumbnail generator couldn't have any bugs, therefore it would make the most sense to prevent bugs in thumbnailers to have any security impact. >> The real problem is that despite it's well known that thumbnail >> generators have a really big attack surface, nothing has been done to >> limit the impact of vulnerabilities in thumbnail generators. > [...] >> My guess on why noone actually does this is because it would break any >> existing thumbnailer and programs like imagemagic couldn't be used for >> thumbnail generation anymore. > > Actually, imagemagick is one of worst offenders here. The version in Jessie > is at deb8u9, and every security update tends to mention ~20 CVEs. Yes, I know. I didn't mean to imply that keeping existing thumbnail generators or using imagemagick for thumbnail generation is a good thing. I just tried to reason why thumbnails may still be generated in an insecure manner. If I had the choice between keeping every desktop system insecure forever or breaking every thumbnailer ever created, I would always choose the later. However, I don't think that's an option for gnome or KDE. Daniel Abrecht
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng