After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 785547 - exiv2 is unsafe
exiv2 is unsafe
Status: RESOLVED OBSOLETE
Product: gexiv2
Classification: Other
Component: general
unspecified
Other Linux
: Normal normal
: ---
Assigned To: Gexiv2 Maintainers
Gexiv2 Maintainers
Depends on:
Blocks:
 
 
Reported: 2017-07-29 01:02 UTC by seth.arnold
Modified: 2018-05-22 12:36 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description seth.arnold 2017-07-29 01:02:37 UTC
Hello,

The authors of evix2 are unwilling to make libexiv2 safe for use on arbitrary files: http://dev.exiv2.org/issues/1248 . There are known issues unfixed for more than nine months; no users have stepped forward with patches in the meantime.

As a result I'd like to demote exiv2 from main to universe in Ubuntu to try to limit our risks and risks to our users.

Jeremy Bicha points out that currently it's difficult or impossible to build shotwell without libexiv2 https://bugs.launchpad.net/ubuntu/+source/exiv2/+bug/1706471 .

Ideally someone who cares about Exif data would fork exiv2 and add necessary hardening, or re-write the library entirely afresh in Rust, so that it would be safe to use on arbitrary files.

Possible alternatives include gexiv2 allowing itself to run without the backing exiv2 library and just giving fake answers, or shotwell dynamically loading gexiv2 only if a user wants to use the functionality, or shotwell allowing build-time configuration to remove Exif functionality, or possibly other answers.

Thanks
Comment 1 Jens Georg 2017-07-29 09:25:54 UTC
(In reply to seth.arnold from comment #0)
> Hello,
> 
> The authors of evix2 are unwilling to make libexiv2 safe for use on
> arbitrary files: http://dev.exiv2.org/issues/1248 . There are known issues
> unfixed for more than nine months; no users have stepped forward with
> patches in the meantime.
> 
> As a result I'd like to demote exiv2 from main to universe in Ubuntu to try
> to limit our risks and risks to our users.
> 
> Jeremy Bicha points out that currently it's difficult or impossible to build
> shotwell without libexiv2
> https://bugs.launchpad.net/ubuntu/+source/exiv2/+bug/1706471 .

Unsurprising.

> 
> Ideally someone who cares about Exif data would fork exiv2 and add necessary
> hardening, or re-write the library entirely afresh in Rust, so that it would
> be safe to use on arbitrary files.

Yeah, well, it's easy to say that "someone" should do that. Someone has infinite number of resources available to fix everythin. I cannot, I currently even struggle to find any time. Feel free to remove Shotwell from Ubuntu. I suspect if Canonical cares for that, Canonical could sponsor such a rewrite. Or write a new one, Canonical is quite fond of NIH as I hear.

> 
> Possible alternatives include gexiv2 allowing itself to run without the
> backing exiv2 library and just giving fake answers, or shotwell dynamically
> loading gexiv2 only if a user wants to use the functionality, or shotwell
> allowing build-time configuration to remove Exif functionality, or possibly
> other answers.

What's the point in that? Will you cater for all the Shotwell, gnome-photos, ... users that go to those programs and file tickets against them?

Will you handle the backlash of hatred? No. We will have to handle that.
Comment 2 Robert Bruce Park 2017-07-30 04:50:49 UTC
Crippling gexiv2 is a remarkably bad idea. There are many users beyond just shotwell (I know this because I wrote/ported some of them).

I vote to just demote exiv2 and all rdeps so that things at least still work for people that care.
Comment 3 Jens Georg 2017-07-31 09:37:38 UTC
Offer: I can split out the meta-data parsing into own process (for shotwell, that is) and run it with restrictive seccomp policies, just like tracker.
Comment 4 Debarshi Ray 2017-07-31 13:16:16 UTC
(In reply to seth.arnold from comment #0)
> The authors of evix2 are unwilling to make libexiv2 safe for use on
> arbitrary files: http://dev.exiv2.org/issues/1248 . There are known issues
> unfixed for more than nine months; no users have stepped forward with
> patches in the meantime.
> 
> As a result I'd like to demote exiv2 from main to universe in Ubuntu to try
> to limit our risks and risks to our users.
>
> [...]
>
> Ideally someone who cares about Exif data would fork exiv2 and add necessary
> hardening, or re-write the library entirely afresh in Rust, so that it would
> be safe to use on arbitrary files.

This seems to be an unnecessarily hysterical interpretation of http://dev.exiv2.org/issues/1248

It seems to be a classic case of an upstream maintainer that doesn't have the bandwidth to harden the library. He seems willing to mentor contributors interested in such things. eg., http://dev.exiv2.org/issues/1248#note-14

How about stepping up to own some of the burden of maintaining exiv2? Has anyone tried that?

> Possible alternatives include gexiv2 allowing itself to run without the
> backing exiv2 library and just giving fake answers, or shotwell dynamically
> loading gexiv2 only if a user wants to use the functionality, or shotwell
> allowing build-time configuration to remove Exif functionality, or possibly
> other answers.

A much more constructive approach would be to help with upstream exiv2 maintenance.
Comment 5 GNOME Infrastructure Team 2018-05-22 12:36:26 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/gexiv2/issues/25.