[Pkg-gmagick-im-team] Bug#860763: imagemagick: /etc/imagemagick-6/policy.xml useless limits settings
Yuri D'Elia
wavexx at thregr.org
Sun May 28 21:29:28 UTC 2017
Package: imagemagick-6-common
Version: 8:6.9.7.4+dfsg-9
Followup-For: Bug #860763
I agree with the original reporter here. The policy includes arbitrary limits
which cannot easily be modified by invoking the commands.
If we want to ensure the "resource" limits do not get exceeded in order to
avoid a potential DOS, the admin should use ulimit(1).
The '<policy domain="path" rights="none" pattern="@*"/>' policy also kills the
ability to annotate text in a pipe:
echo 'x' | convert -annotate '@-' ...
will fail with a 'not authorized' error, which is rather confusing as this is
precisely the kind of example as done in the documentation.
Of course, @[path] will allow to read-in external data, but this somehow
implies that the user of convert is *not* under control of the annotation text.
This seems a rather weak form of protection which prevents a rather useful
feature.
The only "policy" that I agree with is to disable remote delegates (I never
expect an image toolkit to perform remote queries).
-- Package-specific info:
ImageMagick program version
---------------------------
animate: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
compare: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
convert: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
composite: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
conjure: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
display: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
identify: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
import: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
mogrify: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
montage: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
stream: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (900, 'unstable'), (800, 'experimental')
Architecture: amd64
(x86_64)
Kernel: Linux 4.11.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-- Configuration Files:
/etc/ImageMagick-6/policy.xml changed [not included]
More information about the Pkg-gmagick-im-team
mailing list