I think CVE-2024-29510 (Ghostscript vuln) may apply to Mastodon, as Mastodon sends images to ImageMagick, which can call Ghostscript. But I might be wrong.
@GossiTheDog Hrm. While the imagemagick-6.q16 package (on Debian) recommends ghostscript (and it is installed on my Mastodon instance), there's no hard dependency. I don't think Mastodon deals with any file formats that require ghostscript processing? Certainly not pdf or ps...
Should be safe to uninstall when it's considered a possible attack vector...
@GossiTheDog A lot of features are disabled by default in ImageMagick. When I wanted to convert PDF pages to JPG, I had to whitelist it in “/etc/ImageMagick-6/policy.xml”. At least in Debian/Ubuntu.
Hmmm that got me wondering whether ImageMagick is packaged on Ubuntu with Ghostscript as a hard dependency. Wanted to check this - but seems that packages.ubuntu.com is down ATM.
It is back - and it seems that Ghostscript is not a hard dependency for ImageMagick - but a recommended one.
If it were possible to exploit the Ghostscript vuln through ImageMagick through Mastodon, only a subset of the instances would be vulnerable for this 'chain'.
However, I can't speak for other forks, besides vanilla and glitch - could be that the LaTeX/MathML fork (like Mathstodon) does use Ghostscript :flan_shrug: