[Pkg-gmagick-im-team] Bug#907336: still relevant? revert?
Bastien ROUCARIES
roucaries.bastien+imagemagick at gmail.com
Wed Sep 1 10:01:43 BST 2021
Le mer. 1 sept. 2021 à 08:21, Tomas Pospisek <tpo at sourcepole.ch> a écrit :
>
> Dear ImageMagick Packaging Team,
>
> Short version: is it safe today to reenable PDF/PS conversion again these
> days?
>
> Long version:
>
> Today I was affected by the problem reported in [1], notably:
>
> convert: attempt to perform an operation not allowed by the security
> policy `PDF' @ error/constitute.c/IsCoderAuthorized/408.
>
> When I check /etc/ImageMagick-6/policy.xml I see that plenty of
> conversions to/from (?) PDF/(E)PS* are apparently disabled by default as
> delivered by Debian. Which actually covers part of the requests in this
> (#907336) bugreport.
>
> The mentioned stackoverflow Q&A however mentions that:
>
> > Make sure ghostscript is updated kb.cert.org/vuls/id/332928
>
> Which refers to a fix in Ghostscript 9.24 which is ages ago when compared
> to the Ghostscript version 9.53 currently in Debian stable.
>
> I have *zero* insight into the issues leading to PDF/PS conversion being
> disabled in Debian and if they still are relevant and still are of
> the same concern as they were at the times before Ghostscript 9.24.
>
> Or posed differently: does it make sense to reevaluate these issues and -
> if it turns out they are of no concern any more today - could the
> respective converters be re-enabled by default again?
No it will not renable by default.
The best will be to have a debconf question and let the user accept the risk.
Postscript is turing complete so it is easy to do a DOS. it should be documented
Patch welcome
Bastien
> Thanks a lot for maintaining ImageMagick! Greetings,
> *t
>
> [1] https://stackoverflow.com/questions/52998331/imagemagick-security-policy-pdf-blocking-conversion
>
More information about the Pkg-gmagick-im-team
mailing list