Deleting on images with alpha channel does not delete

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Deleting on images with alpha channel does not delete

Hanno Böck
Hello,

I've been asked to bring this discussion to this mailinglist.

There's an issue with GIMP that can lead to unexpected disclosure of
private information if one tries to use GIMP to remove private data
from images.
The problem is that when someone "deletes" something with GIMP in an
image with an alpha channel it's not actually deleted, the content is
just set to be fully transparent. This can of course trivially be
reversed.

A typical situation where this might become problematic is when somene
makes a screenshot for e.g. a social media post and wants to remove
something that is private, e.g. a name/address/creditcard number etc.

Will Dormann who works for CERT/CC has reported this as an issue[1],
however it was closed arguing that this is expected behavior.

FWIW I agree with Will Dormann here that this is very surprising
behavior, and thus it should be considered dangerous and should be
changed. He also told me he tested multiple other popular graphics
editors and GIMP is the only one with this behavior.

(Also FYI I am planning to write an article about this for Golem.de.)

[1] https://gitlab.gnome.org/GNOME/gimp/issues/4487

--
Hanno Böck
https://hboeck.de/
_______________________________________________
gimp-developer-list mailing list
List address:    [hidden email]
List membership: https://mail.gnome.org/mailman/listinfo/gimp-developer-list
List archives:   https://mail.gnome.org/archives/gimp-developer-list
Reply | Threaded
Open this post in threaded view
|

Re: Deleting on images with alpha channel does not delete

Ofnuts-2
On 2/5/20 2:55 PM, Hanno Böck wrote:

> Hello,
>
> I've been asked to bring this discussion to this mailinglist.
>
> There's an issue with GIMP that can lead to unexpected disclosure of
> private information if one tries to use GIMP to remove private data
> from images.
> The problem is that when someone "deletes" something with GIMP in an
> image with an alpha channel it's not actually deleted, the content is
> just set to be fully transparent. This can of course trivially be
> reversed.
>
> A typical situation where this might become problematic is when somene
> makes a screenshot for e.g. a social media post and wants to remove
> something that is private, e.g. a name/address/creditcard number etc.
>
> Will Dormann who works for CERT/CC has reported this as an issue[1],
> however it was closed arguing that this is expected behavior.
>
> FWIW I agree with Will Dormann here that this is very surprising
> behavior, and thus it should be considered dangerous and should be
> changed. He also told me he tested multiple other popular graphics
> editors and GIMP is the only one with this behavior.
>
> (Also FYI I am planning to write an article about this for Golem.de.)
>
> [1] https://gitlab.gnome.org/GNOME/gimp/issues/4487
>
And why should this mailing list make any difference?

I'll even go further in the reasoning. If it makes sense for
PNG/WEBP/GIF, why wouldn't it make sense for the XCF format itself?
After all some poor souls could send someone an XCF where their credit
cars number has been erased in a layer (as a Gimp forum owner, I see
people routinely upload their XCF files fro all to see...). So we would
have to also clear these data in XCF layers, making the whole editor
unusable?

_______________________________________________
gimp-developer-list mailing list
List address:    [hidden email]
List membership: https://mail.gnome.org/mailman/listinfo/gimp-developer-list
List archives:   https://mail.gnome.org/archives/gimp-developer-list
Reply | Threaded
Open this post in threaded view
|

Re: Deleting on images with alpha channel does not delete

Michael Schumacher
On 2/5/20 11:36 PM, Ofnuts wrote:

> On 2/5/20 2:55 PM, Hanno Böck wrote:
>> Hello,
>>
>> I've been asked to bring this discussion to this mailinglist.
>>
>> There's an issue with GIMP that can lead to unexpected disclosure of
>> private information if one tries to use GIMP to remove private data
>> from images.
>> The problem is that when someone "deletes" something with GIMP in an
>> image with an alpha channel it's not actually deleted, the content is
>> just set to be fully transparent. This can of course trivially be
>> reversed.
>>
>> A typical situation where this might become problematic is when somene
>> makes a screenshot for e.g. a social media post and wants to remove
>> something that is private, e.g. a name/address/creditcard number etc.
>>
>> Will Dormann who works for CERT/CC has reported this as an issue[1],
>> however it was closed arguing that this is expected behavior.
>>
>> FWIW I agree with Will Dormann here that this is very surprising
>> behavior, and thus it should be considered dangerous and should be
>> changed. He also told me he tested multiple other popular graphics
>> editors and GIMP is the only one with this behavior.
>>
>> (Also FYI I am planning to write an article about this for Golem.de.)
>>
>> [1] https://gitlab.gnome.org/GNOME/gimp/issues/4487
>>
> And why should this mailing list make any difference?

For the records, Hanno mailed me directly and asked for a statement
(presumably for use in the article), and I replied asking him to put
this on either the developer mailing list or to comment on the issue
referenced above, to give more people the possibility to participate.

(pippin and I have added additional comments to the issue today, as we
think they might be better stored there).

> I'll even go further in the reasoning. If it makes sense for
> PNG/WEBP/GIF, why wouldn't it make sense for the XCF format itself?
> After all some poor souls could send someone an XCF where their credit
> cars number has been erased in a layer (as a Gimp forum owner, I see
> people routinely upload their XCF files fro all to see...). So we would
> have to also clear these data in XCF layers, making the whole editor
> unusable?

I've written a bit about what I think needs to be addressed there in my
second comment to the issue, namely ways to explicitly inspect and
redact what is exported, without destroying it in the source file.

There's also a Tweet (with several sub-threads) referenced in the issue
report, with points being made for either behavior of Delete by
different people.


--
Regards,
Michael
GPG: 96A8 B38A 728A 577D 724D 60E5 F855 53EC B36D 4CDD
_______________________________________________
gimp-developer-list mailing list
List address:    [hidden email]
List membership: https://mail.gnome.org/mailman/listinfo/gimp-developer-list
List archives:   https://mail.gnome.org/archives/gimp-developer-list