Re: [gst-devel] Re: gstreamer gdk-pixbuf plugin



> It could be a nice idea to make a thumbnailer that uses gdk-pixbuf to
> generate thumbnails...
> 
> But that still means that it's a security issue if you open untrusted
> content via gdk-pixbuf. Like in Evolution.
> 
> I wouldn't trust GStreamer on that. Or Xine. Or any media framework. They
> all didn't have security audits yet...

There are a few options for selectively disabling loaders:

a) Disable the problematic loaders globally, by removing them from 
gdk-pixbuf.loaders

b) Do your own sniffing and work with gdk_pixbuf_loader_new_with_type()

c) Let gdk-pixbuf determine the type, but blacklist untrusted loaders
(or, better, list trusted loaders)

loader = gdk_pixbuf_loader_new ();
gdk_pixbuf_loader_write (loader, buf, 128, &error);
format = gdk_pixbuf_loader_get_format (loader);
if (strcmp (gdk_pixbuf_format_get_name (format), "GStreamer") == 0) 
  {
    g_warning ("I don't trust GStreamer yet");
    return NULL;
  }

Matthias




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]