On Mon, Jun 20, 2022 at 06:10:45PM +0200, Sebastian Rose wrote: > >> how do you guys test all of the potential PNG/JPG potential malware > >> payloads > > What's your use-case? As I'm not aware of an vector for GNU/Linux in > normal everyday useĀ¹, I guess you host files for Windows clients?
https://security-tracker.debian.org/tracker/source-package/imagemagick If you're processing data (images, videos, audio files, etc) from unknown sources, it's a really good idea to use sandboxing of some kind, ensure that sandboxes are never reused, and to ensure that only the most minimal state possible (e.g. the output of the processing job) is preserved after execution. The sandbox can use things like seccomp and apparmor to enforce containment. Linux namespaces are useful as well: A private network namespace that doesn't have access to the outside world, a private mount namespace that has a unique root file system (ideally read-only), etc. Containers, as implemented by podman, docker, and systemd-container can help here by providing convenient interfaces to these process isolation tools. noah
