On Wed, 5 Sep 2018 17:47:57 -0400 Ray Strode <halfl...@gmail.com> wrote:
> hi, > > On Tue, Sep 4, 2018, 6:19 PM Magnus Bergman > <magnus.berg...@snisurset.net> wrote: > > > Over the years it has been discussed from time to time to replace > > gdk-pixbuf with something else[1][2]. > > [...] > > > I finally took some time to design an > > image loading library on top of cairo > > [...] > > > abydos, which at least > > suits my needs. And also some needs mentioned in this list over the > > years. First I thought it could suit the needs of GTK+ as well. > > So one thing i think a modern image library needs is sandboxing. the > loader should be contained with bubblewrap and it should just give > back a chunk of pixels in shared memory as a memfd or similar. > > then if it crashes it doesnt take down the app. if its exploited the > most the attacker can do is make the caller show the wrong image > (which could still be bad of course) Yes, I though about that and there is an example implementation in the netpbm plugin of abydos that takes this approach. It currently doesn't drop privileges, but that can easily be added. But it only works with pixmaps. I'm not sure how to deal with vector graphics this way. I will take a look at bubblewrap and think this over. But if opening images is considered dangerous, opening files in general must be considered equally dangerous. And if third party image loaders are considered dangerous, all third party code must be considered equally dangerous. I think it would be better with some kind of framework that can separate applications into run-time modules with different privileges. So that all kind of data processing happens in contexts without access to the file system for example. Then the whole image loader (in this case better described as an image decoder) could be placed in the same isolated context together with the rest of the data processing stuff. It would be kind of cool if every application always did this. But I think this technique is primarily needed in especially sensitive situations (like handling complex and potentially malicious data like from the internet), not as much for loading local images in general. _______________________________________________ gtk-devel-list mailing list gtk-devel-list@gnome.org https://mail.gnome.org/mailman/listinfo/gtk-devel-list