Bug#913120: cups-filters: please favor graphicsmagick-imagemagick-compat over imagemagick
Control: tags -1 +pending Le mercredi, 7 novembre 2018, 23.40:23 h CET Samuel Thibault a écrit : > Mmm, actually it's even a very specific case of braille embossing, which > is really not common, and most probably really never used in networked > situations. Perhaps we could just demote to "Suggests" or even drop > it. If the user tries to emboss an image, she'll get an error message > hinting to install imagemagick anyway. That seems like a workable way forward, I'll go with it. Cheers, OdyX signature.asc Description: This is a digitally signed message part.
Bug#913120: cups-filters: please favor graphicsmagick-imagemagick-compat over imagemagick
Hello, Moritz Mühlenhoff, le mer. 07 nov. 2018 23:04:55 +0100, a ecrit: > In this specific case other, more promising hardening options would be: > - IM is only used for the braille support, so this could be split into > a separate binary package, reducing the attack footprint for the non-braille > installations of cups-filters Mmm, actually it's even a very specific case of braille embossing, which is really not common, and most probably really never used in networked situations. Perhaps we could just demote to "Suggests" or even drop it. If the user tries to emboss an image, she'll get an error message hinting to install imagemagick anyway. Samuel
Bug#913120: cups-filters: please favor graphicsmagick-imagemagick-compat over imagemagick
On Wed, Nov 07, 2018 at 08:44:25AM +0100, Jonas Smedegaard wrote: > Source: cups-filters > Version: 1.21.3-2 > Severity: important > Tags: security > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Graphicsmagick is a drop-in replacement for imagemagick which - apart > from being faster and lighter - also claims that it "suffers from fewer > security issues and exploits" - which seems to correspond with the > amount of issues reported at > https://security-tracker.debian.org/tracker/source-package/imagemagick > and > https://security-tracker.debian.org/tracker/source-package/graphicsmagick Counting CVE IDs is not a useful metric per se, before we migrate things this should be researched more in depth (and then whatever magick is preferred should be migrated distro-wide (and the other variant phased out)). In this specific case other, more promising hardening options would be: - IM is only used for the braille support, so this could be split into a separate binary package, reducing the attack footprint for the non-braille installations of cups-filters - The respective code shells out to convert; the execution of that binary could be contained with firejail (e.g. with a profile running imagemagick with the seccomp filter and namespaced), mitigating the effect of an exploit in imagemagick. Cheers, Moritz
Bug#913120: cups-filters: please favor graphicsmagick-imagemagick-compat over imagemagick
Source: cups-filters Version: 1.21.3-2 Severity: important Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Graphicsmagick is a drop-in replacement for imagemagick which - apart from being faster and lighter - also claims that it "suffers from fewer security issues and exploits" - which seems to correspond with the amount of issues reported at https://security-tracker.debian.org/tracker/source-package/imagemagick and https://security-tracker.debian.org/tracker/source-package/graphicsmagick Please list graphicsmagick-imagemagick-compat as favored over imagemagick to have the former installed by default on new systems. - Jonas -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlvil9YACgkQLHwxRsGg ASFjWBAAohF5VcTgx3Jl8GJpwKXAqXKnbTF3QEHB5f6hTS0uyDGSZ1/jboej/NxN LZA+8NQrDuu1p3bWcBq8EQ/nybktol6CtimkfqD+kDObuOfsGGCD61drQwlfBj7W WYM9CCnM9CE+6SDLc+M2PvRubQuFH1DkpGV1wDCmnHfRgGPbVtkPM9/epfkMNMbW yCnV7rKyZD1TnRW354PfSrpl5RTijS93iU98/zAKuBlPbgQchUgZaePmcpJOhwto 3a1sIsyaPzMyymktlv4eZ1aBv1CNDv7UiDPCO/3Qozp83TcwY3UNs5D8hAk11Zjf zLwY+ZBCWuGEtrDGbIsxeac5OhIZZZn02B7Vh41KPXq3WOKIx+DIui1YJTHV0eek B7LA31wZ/2tMzBqOtJrfMUJOkjmthxpVZWIcqVdCA9fIYNiTi6IaiNJmOrYxSOYp SAp0V+t8MtRLc733XG3O+mg98CzSIqog6zJI5uxTpftD9dfGe4mMDVILc6krsGin agN4Nq5fCUSGWv28pvgIDy6MnBusb2Amho4nQQ9ny0kYjgaDK7dEPixMbAmBpdyI iTq4jrw5TpDlC5mMI2wy+tIGvyo/DF45C3DOlLTGyTWDghZqEk9E36QYo2AxfUXc seRByTLQlju9G5HHI5EVm1mBDvNZ9li/kBBaekubcKkkAgnEWlw= =cM4p -END PGP SIGNATURE-