[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?

On Mon, Jun 20, 2022 at 09:25:38AM -0700, Noah Meyerhans wrote:
> https://security-tracker.debian.org/tracker/source-package/imagemagick
> If you're processing data (images, videos, audio files, etc) from
> unknown sources, it's a really good idea to use sandboxing of some kind,
> ensure that sandboxes are never reused, and to ensure that only the most
> minimal state possible (e.g. the output of the processing job) is
> preserved after execution.  The sandbox can use things like seccomp and
> apparmor to enforce containment.  Linux namespaces are useful as well: A
> private network namespace that doesn't have access to the outside world,
> a private mount namespace that has a unique root file system (ideally
> read-only), etc.
> Containers, as implemented by podman, docker, and systemd-container can
> help here by providing convenient interfaces to these process isolation
> tools.

Sorry, hit send before I mean to.  The above is all about protecting
against new, unknown issues for which the mitigation isn't known.  For
protection against known issues, of course, you should simply make sure
you're running up-to-date versions of all your software.


Reply to: