[Pkg-gmagick-im-team] Bug#907336: still relevant? revert?

Bastien ROUCARIES roucaries.bastien+imagemagick at gmail.com
Wed Sep 1 10:01:43 BST 2021

Le mer. 1 sept. 2021 à 08:21, Tomas Pospisek <tpo at sourcepole.ch> a écrit :
> Dear ImageMagick Packaging Team,
> Short version: is it safe today to reenable PDF/PS conversion again these
> days?
> Long version:
> Today I was affected by the problem reported in [1], notably:
>      convert: attempt to perform an operation not allowed by the security
>      policy `PDF' @ error/constitute.c/IsCoderAuthorized/408.
> When I check /etc/ImageMagick-6/policy.xml I see that plenty of
> conversions to/from (?) PDF/(E)PS* are apparently disabled by default as
> delivered by Debian. Which actually covers part of the requests in this
> (#907336) bugreport.
> The mentioned stackoverflow Q&A however mentions that:
> > Make sure ghostscript is updated kb.cert.org/vuls/id/332928
> Which refers to a fix in Ghostscript 9.24 which is ages ago when compared
> to the Ghostscript version 9.53 currently in Debian stable.
> I have *zero* insight into the issues leading to PDF/PS conversion being
> disabled in Debian and if they still are relevant and still are of
> the same concern as they were at the times before Ghostscript 9.24.
> Or posed differently: does it make sense to reevaluate these issues and -
> if it turns out they are of no concern any more today - could the
> respective converters be re-enabled by default again?

No it will not renable by default.

The best will be to have a debconf question and let the user accept the risk.

Postscript is turing complete so it is easy to do a DOS. it should be documented

Patch welcome


> Thanks a lot for maintaining ImageMagick! Greetings,
> *t
> [1] https://stackoverflow.com/questions/52998331/imagemagick-security-policy-pdf-blocking-conversion

More information about the Pkg-gmagick-im-team mailing list