Imagemagick is one of the few bits of software where the functionality is worth the risk. Simply find a way to remove any network access and use it. I used to run it in a docker container with (almost) all capabilities dropped but with a directory mapped into it to run.
Not sure if this is common knowledge (??) but I feel I should note here: in my job we absolutely do not consider containers to be a security boundary[1]. On the other hand I still tend to use them for isolation on my personal boxen, because they at least reduce the blast radius of bugs or shitty packaging.
The article's sources disagree with the article. Its link to Microsoft's definition of a security boundary explicitly includes containers as a security boundary twice in the tables and offers bounties if you can break out of that security boundary. Its link and quote from Google say it's not a _strong_ security boundary yet the article claims Google said it wasn't a security boundary at all. The Red Hat link doesn't say anything about security boundaries whatsoever but it does say containers aren't perfect protection yet they do provide some protection. The Netflix link also explicitly says containers are a security boundary multiple times and they use additional protections to strengthen that boundary. At this point I'm doing following citations but you get the point.
If the security folks at your job truly doesn't consider containers security boundaries then they are wrong. What seems more likely is they don't consider containers alone a _good enough_ security boundary. And that's fine, some places consider separate processes with different rights good enough security boundaries. Others consider two boxes that are able to interact with each other not a good enough security boundary. It doesn't change that things that weren't secure enough for the use case are still security boundaries.
One way to make it safer is to run inside webassembly. I needed an easy way to modify photoshop files and allow give those commands to other users. So you may want to check out https://knicknic.github.io/imagemagick/ it’s Imagemagick in a progressive web app that allows you to share commands.
I always find it remarkable how people bash on IM without proposing alternatives. Should we all write our own libpng, libtiff, skia, cairo? Even libvips uses some imagemagick facilities for some of its functionality (file format support is just not there). While yes, processing images is complex and some formats are nearly Turing-complete (or outright turing-complete like the container/MP4 derivatives) saying "This software contains vulnerabilities therefore we are going to remove it" is an attitude we could have less of. If you replace your local imagemagick with some cloud service - don't you worry, in addition to your cloud bill growing the cloud service _also_ has to deal with IM vulnerabilities, containerization, sandboxing and all the other good stuff. And is lilely saving money by not going all the way on the above (if I had a dollar for every time a vulnerability could be injected into a service where images can be uploaded and the image renderer starts going out to the internet to embed something into a PNG).
I guess this means you should not use imagemagick in any process where the files (or other input) aren't trusted.
So you could use it in some typical dev workflows (or other business workflows) that are purely internal and maybe in certain non-internal processes where the inputs are strictly limited to trusted ones. But not, e.g., in services/apps that could process untrusted inputs.
(Seems like there are a number of leaks too, but since it's process-oriented, those probably won't be that hard to live with. They might be hard to notice normally.)
I guessed from the title that this was looking to secure a right to dress as one wished in the EU. In particular to wear a head covering or full body covering that might be associated with a particular religion. Like it would be cool to wear a miter even if you aren't a Roman Catholic bishop.
There is a lot of fiber running in railroad right of way.
Southern Pacific Railroad Internal Network Telecommunications, or SPRINT. The telecommunications name survives. The railroad is now part of Union Pacific.
I suspect that the folks putting fiber in railroad right of way know how to avoid crushing failure.
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=imagemagick
There have been a number of zero days.
My entire interaction with Imagemagick has been removing it. Often with great difficulty because there is some odd dependency.