On Wed, 5 Sep 2018 17:47:57 -0400
Ray Strode <halfl...@gmail.com> wrote:

> hi,
> On Tue, Sep 4, 2018, 6:19 PM Magnus Bergman
> <magnus.berg...@snisurset.net> wrote:
> > Over the years it has been discussed from time to time to replace
> > gdk-pixbuf with something else[1][2].  
> [...]
> > I finally took some time to design an
> > image loading library on top of cairo  
> [...]
> >  abydos, which at least
> > suits my needs. And also some needs mentioned in this list over the
> > years. First I thought it could suit the needs of GTK+ as well.  
> So one thing i think a modern image library needs is sandboxing.  the
> loader should be contained with bubblewrap and it should just give
> back a chunk of pixels in shared memory as a memfd or similar.
> then if it crashes it doesnt take down the app.  if its exploited the
> most the attacker can do is make the caller show the wrong image
> (which could still be bad of course)

Yes, I though about that and there is an example implementation in the
netpbm plugin of abydos that takes this approach. It currently doesn't
drop privileges, but that can easily be added. But it only works with
pixmaps. I'm not sure how to deal with vector graphics this way. I will
take a look at bubblewrap and think this over.

But if opening images is considered dangerous, opening files in general
must be considered equally dangerous. And if third party image loaders
are considered dangerous, all third party code must be considered
equally dangerous. I think it would be better with some kind of
framework that can separate applications into run-time modules with
different privileges. So that all kind of data processing happens in
contexts without access to the file system for example. Then the whole
image loader (in this case better described as an image decoder) could
be placed in the same isolated context together with the rest of the
data processing stuff. It would be kind of cool if every application
always did this. But I think this technique is primarily needed in
especially sensitive situations (like handling complex and potentially
malicious data like from the internet), not as much for loading local
images in general.
gtk-devel-list mailing list

Reply via email to