[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?

On Mon, Jun 20, 2022 at 06:10:45PM +0200, Sebastian Rose wrote:
> >> how do you guys test all of the potential PNG/JPG potential malware payloads
> What's your use-case? As I'm not aware of an vector for GNU/Linux in
> normal everyday use¹, I guess you host files for Windows clients?


If you're processing data (images, videos, audio files, etc) from
unknown sources, it's a really good idea to use sandboxing of some kind,
ensure that sandboxes are never reused, and to ensure that only the most
minimal state possible (e.g. the output of the processing job) is
preserved after execution.  The sandbox can use things like seccomp and
apparmor to enforce containment.  Linux namespaces are useful as well: A
private network namespace that doesn't have access to the outside world,
a private mount namespace that has a unique root file system (ideally
read-only), etc.

Containers, as implemented by podman, docker, and systemd-container can
help here by providing convenient interfaces to these process isolation


Reply to: