galaxis , 2 days ago

@GossiTheDog Hrm. While the imagemagick-6.q16 package (on Debian) recommends ghostscript (and it is installed on my Mastodon instance), there's no hard dependency. I don't think Mastodon deals with any file formats that require ghostscript processing? Certainly not pdf or ps...

Should be safe to uninstall when it's considered a possible attack vector...

h3artbl33d , 2 days ago

@galaxis

If it is any consideration, Exquisite has been running without Ghostscript (on OpenBSD) since late 2022.

galaxis , 2 days ago

@h3artbl33d Yeah, in the worst case, reprocessing some media would fail, so I took the opportunity to nuke it from this install.

h3artbl33d , 2 days ago

@galaxis

Do you happen to know what kind of media? I can imagine PDFs and perhaps SVG?

erlenmayr , 2 days ago

@GossiTheDog A lot of features are disabled by default in ImageMagick. When I wanted to convert PDF pages to JPG, I had to whitelist it in “/etc/ImageMagick-6/policy.xml”. At least in Debian/Ubuntu.

h3artbl33d , 2 days ago

@erlenmayr @GossiTheDog

Hmmm, interesting!

h3artbl33d , 2 days ago

@GossiTheDog

Hmmm that got me wondering whether ImageMagick is packaged on Ubuntu with Ghostscript as a hard dependency. Wanted to check this - but seems that packages.ubuntu.com is down ATM.

h3artbl33d , 2 days ago

@GossiTheDog

It is back - and it seems that Ghostscript is not a hard dependency for ImageMagick - but a recommended one.

If it were possible to exploit the Ghostscript vuln through ImageMagick through Mastodon, only a subset of the instances would be vulnerable for this 'chain'.

However, I can't speak for other forks, besides vanilla and glitch - could be that the LaTeX/MathML fork (like Mathstodon) does use Ghostscript :flan_shrug: