GNOME Bugzilla – Bug 785547
exiv2 is unsafe
Last modified: 2018-05-22 12:36:26 UTC
Hello, The authors of evix2 are unwilling to make libexiv2 safe for use on arbitrary files: http://dev.exiv2.org/issues/1248 . There are known issues unfixed for more than nine months; no users have stepped forward with patches in the meantime. As a result I'd like to demote exiv2 from main to universe in Ubuntu to try to limit our risks and risks to our users. Jeremy Bicha points out that currently it's difficult or impossible to build shotwell without libexiv2 https://bugs.launchpad.net/ubuntu/+source/exiv2/+bug/1706471 . Ideally someone who cares about Exif data would fork exiv2 and add necessary hardening, or re-write the library entirely afresh in Rust, so that it would be safe to use on arbitrary files. Possible alternatives include gexiv2 allowing itself to run without the backing exiv2 library and just giving fake answers, or shotwell dynamically loading gexiv2 only if a user wants to use the functionality, or shotwell allowing build-time configuration to remove Exif functionality, or possibly other answers. Thanks
(In reply to seth.arnold from comment #0) > Hello, > > The authors of evix2 are unwilling to make libexiv2 safe for use on > arbitrary files: http://dev.exiv2.org/issues/1248 . There are known issues > unfixed for more than nine months; no users have stepped forward with > patches in the meantime. > > As a result I'd like to demote exiv2 from main to universe in Ubuntu to try > to limit our risks and risks to our users. > > Jeremy Bicha points out that currently it's difficult or impossible to build > shotwell without libexiv2 > https://bugs.launchpad.net/ubuntu/+source/exiv2/+bug/1706471 . Unsurprising. > > Ideally someone who cares about Exif data would fork exiv2 and add necessary > hardening, or re-write the library entirely afresh in Rust, so that it would > be safe to use on arbitrary files. Yeah, well, it's easy to say that "someone" should do that. Someone has infinite number of resources available to fix everythin. I cannot, I currently even struggle to find any time. Feel free to remove Shotwell from Ubuntu. I suspect if Canonical cares for that, Canonical could sponsor such a rewrite. Or write a new one, Canonical is quite fond of NIH as I hear. > > Possible alternatives include gexiv2 allowing itself to run without the > backing exiv2 library and just giving fake answers, or shotwell dynamically > loading gexiv2 only if a user wants to use the functionality, or shotwell > allowing build-time configuration to remove Exif functionality, or possibly > other answers. What's the point in that? Will you cater for all the Shotwell, gnome-photos, ... users that go to those programs and file tickets against them? Will you handle the backlash of hatred? No. We will have to handle that.
Crippling gexiv2 is a remarkably bad idea. There are many users beyond just shotwell (I know this because I wrote/ported some of them). I vote to just demote exiv2 and all rdeps so that things at least still work for people that care.
Offer: I can split out the meta-data parsing into own process (for shotwell, that is) and run it with restrictive seccomp policies, just like tracker.
(In reply to seth.arnold from comment #0) > The authors of evix2 are unwilling to make libexiv2 safe for use on > arbitrary files: http://dev.exiv2.org/issues/1248 . There are known issues > unfixed for more than nine months; no users have stepped forward with > patches in the meantime. > > As a result I'd like to demote exiv2 from main to universe in Ubuntu to try > to limit our risks and risks to our users. > > [...] > > Ideally someone who cares about Exif data would fork exiv2 and add necessary > hardening, or re-write the library entirely afresh in Rust, so that it would > be safe to use on arbitrary files. This seems to be an unnecessarily hysterical interpretation of http://dev.exiv2.org/issues/1248 It seems to be a classic case of an upstream maintainer that doesn't have the bandwidth to harden the library. He seems willing to mentor contributors interested in such things. eg., http://dev.exiv2.org/issues/1248#note-14 How about stepping up to own some of the burden of maintaining exiv2? Has anyone tried that? > Possible alternatives include gexiv2 allowing itself to run without the > backing exiv2 library and just giving fake answers, or shotwell dynamically > loading gexiv2 only if a user wants to use the functionality, or shotwell > allowing build-time configuration to remove Exif functionality, or possibly > other answers. A much more constructive approach would be to help with upstream exiv2 maintenance.
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/gexiv2/issues/25.