Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#964090: Error when converting from "jpg" to "pdf" since security upgrade "8:6.9.10.23+dfsg-2.1+deb10u1"
103 views
Skip to first unread message
Alex ARNAUD
Jul 1, 2020, 11:40:03 AM7/1/20
to
Package: imagemagick
Version: 8:6.9.10.23+dfsg-2.1+deb10u1
Severity: important
Tags:
Hello,
Since the upgrade from imagemagick from "8:6.9.10.23+dfsg-2.1" to "8:6.9.10.23+dfsg-2.1+deb10u1" I obtain an error when converting an image from jpg to pdf.
I execute the following command-line:
And I obtain the following error:
It makes the program I use to read my mail through OCR (I'm visual-impaired) failed at the mentioned command. I was forced to downgrade to make it working again.
Best regards,
Alex.
Version: 8:6.9.10.23+dfsg-2.1+deb10u1
Severity: important
Tags:
busterHello,
Since the upgrade from imagemagick from "8:6.9.10.23+dfsg-2.1" to "8:6.9.10.23+dfsg-2.1+deb10u1" I obtain an error when converting an image from jpg to pdf.
I execute the following command-line:
convert /tmp/37fkw0k6.jpg -density 300 /tmp/37fkw0k6.pdf
And I obtain the following error:
convert-im6.q16: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/408.
It makes the program I use to read my mail through OCR (I'm visual-impaired) failed at the mentioned command. I was forced to downgrade to make it working again.
Best regards,
Alex.
Viktor Horvath
Jul 5, 2020, 11:30:02 AM7/5/20
to
Hello,
I found that I had to comment the following line inside
/etc/ImageMagick-6/policy.xml to make image->PDF conversion work again:
<policy domain="coder" rights="none" pattern="PDF" />
Is this because of a ghostscript vulnerability? Could this please be
re-enabled as soon as that issue is fixed, and I also suggest
mentioning it in the NEWS file for imagemagick. I guess the possible
risk of attack is very different between web servers and untrusted
input, and desktop users?
Thank you,
Viktor.
I found that I had to comment the following line inside
/etc/ImageMagick-6/policy.xml to make image->PDF conversion work again:
<policy domain="coder" rights="none" pattern="PDF" />
Is this because of a ghostscript vulnerability? Could this please be
re-enabled as soon as that issue is fixed, and I also suggest
mentioning it in the NEWS file for imagemagick. I guess the possible
risk of attack is very different between web servers and untrusted
input, and desktop users?
Thank you,
Viktor.
Felix Lechner
Oct 7, 2020, 4:20:03 PM10/7/20
to
Control: tags -1 + patch
Hi,
> Is this because of a ghostscript vulnerability?
The PDF policy restriction is also in effect on Debian stable even
though that release ships with Ghostscript 9.27, which online sources
suggest is safe. [1]
Converting images to PDF is a very common functionality. Please
provide a backport with the attached patch, or similar. Thanks!
Kind regards
Felix Lechner
[1] https://stackoverflow.com/questions/52998331/imagemagick-security-policy-pdf-blocking-conversion
Hi,
> Is this because of a ghostscript vulnerability?
though that release ships with Ghostscript 9.27, which online sources
suggest is safe. [1]
Converting images to PDF is a very common functionality. Please
provide a backport with the attached patch, or similar. Thanks!
Kind regards
Felix Lechner
[1] https://stackoverflow.com/questions/52998331/imagemagick-security-policy-pdf-blocking-conversion
Pavel Sanda
Dec 10, 2020, 6:40:03 AM12/10/20
to
On Wed, 7 Oct 2020 13:15:23 -0700 Felix Lechner <felix....@lease-up.com> wrote:
> Control: tags -1 + patch
>
> Hi,
>
> > Is this because of a ghostscript vulnerability?
>
> The PDF policy restriction is also in effect on Debian stable even
> though that release ships with Ghostscript 9.27, which online sources
> suggest is safe. [1]
>
> Converting images to PDF is a very common functionality. Please
> provide a backport with the attached patch, or similar. Thanks!
Another package negatively affected with the current restrictions
> Control: tags -1 + patch
>
> Hi,
>
> > Is this because of a ghostscript vulnerability?
>
> The PDF policy restriction is also in effect on Debian stable even
> though that release ships with Ghostscript 9.27, which online sources
> suggest is safe. [1]
>
> Converting images to PDF is a very common functionality. Please
> provide a backport with the attached patch, or similar. Thanks!
is lyx - see bugs 911236 and 975678.
PDF and EPS coders need to be allowed for normal functionality.
Pavel
Salvatore Bonaccorso
Dec 13, 2020, 3:30:03 PM12/13/20
to
Hi,
Cc'in the security-team alias.
On Wed, Oct 07, 2020 at 01:15:23PM -0700, Felix Lechner wrote:
> Control: tags -1 + patch
>
> Hi,
>
> > Is this because of a ghostscript vulnerability?
>
> The PDF policy restriction is also in effect on Debian stable even
> though that release ships with Ghostscript 9.27, which online sources
> suggest is safe. [1]
>
> Converting images to PDF is a very common functionality. Please
> provide a backport with the attached patch, or similar. Thanks!
It is actually unlikely for the moment that we will revert the
200-disable-ghostscript-formats.patch patch again, which was firstly
included in the 8:6.9.10.23+dfsg-2.1+deb10u1 upload. It does mitigates
in general problems with the ghostscript handled formats, e.g. the
(new) CVE-2020-29599, cf.
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
.
We follow here only what other distributions have done earlier, I
believe SuSE has such and as well Ubuntu, from which the mentioned
patch was actually merged in in the last update, TTBOMK.
Regards,
Salvatore
Cc'in the security-team alias.
On Wed, Oct 07, 2020 at 01:15:23PM -0700, Felix Lechner wrote:
> Control: tags -1 + patch
>
> Hi,
>
> > Is this because of a ghostscript vulnerability?
>
> The PDF policy restriction is also in effect on Debian stable even
> though that release ships with Ghostscript 9.27, which online sources
> suggest is safe. [1]
>
> Converting images to PDF is a very common functionality. Please
> provide a backport with the attached patch, or similar. Thanks!
200-disable-ghostscript-formats.patch patch again, which was firstly
included in the 8:6.9.10.23+dfsg-2.1+deb10u1 upload. It does mitigates
in general problems with the ghostscript handled formats, e.g. the
(new) CVE-2020-29599, cf.
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
.
We follow here only what other distributions have done earlier, I
believe SuSE has such and as well Ubuntu, from which the mentioned
patch was actually merged in in the last update, TTBOMK.
Regards,
Salvatore
Bastien ROUCARIES
Dec 15, 2020, 4:40:05 AM12/15/20
to
Hi,
I agree with salvatore, that in general disabling pdf is the safer solution.
I am slowly recovering from work debt due to covid 19 lockdown in
France (i was locked down three month, and I could only work by night
for payjob so debian work was not done), but I will accept patch.
The solution of this tradeoff problem is a debconf question. I will accept patch
Bastien
I agree with salvatore, that in general disabling pdf is the safer solution.
I am slowly recovering from work debt due to covid 19 lockdown in
France (i was locked down three month, and I could only work by night
for payjob so debian work was not done), but I will accept patch.
The solution of this tradeoff problem is a debconf question. I will accept patch
Bastien
Moritz Muehlenhoff
Dec 15, 2020, 6:30:03 AM12/15/20
to
On Tue, Dec 15, 2020 at 10:32:25AM +0100, Bastien ROUCARIES wrote:
> Hi,
>
> I agree with salvatore, that in general disabling pdf is the safer solution.
Yeah, this was intentionally, but I missed an entry for this in debian/changelog.
> Hi,
>
> I agree with salvatore, that in general disabling pdf is the safer solution.
> I am slowly recovering from work debt due to covid 19 lockdown in
> France (i was locked down three month, and I could only work by night
> for payjob so debian work was not done), but I will accept patch.
>
> The solution of this tradeoff problem is a debconf question. I will accept patch
if one accepts the risk or uses Ghostscript with trusted input only.
Cheers,
Moritz
MJ Ray
Dec 15, 2020, 8:20:04 AM12/15/20
to
On 13 December 2020 20:19:42 UTC, Salvatore Bonaccorso <car...@debian.org> wrote:
>Hi,
>
>Cc'in the security-team alias.
>
>It is actually unlikely for the moment that we will revert the
>200-disable-ghostscript-formats.patch patch again, which was firstly
>included in the 8:6.9.10.23+dfsg-2.1+deb10u1 upload. It does mitigates
>in general problems with the ghostscript handled formats, e.g. the
>(new) CVE-2020-29599, cf.
>https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
>.
Does this only affect ghostscript or any action involving external commands?
>200-disable-ghostscript-formats.patch patch again, which was firstly
>included in the 8:6.9.10.23+dfsg-2.1+deb10u1 upload. It does mitigates
>in general problems with the ghostscript handled formats, e.g. the
>(new) CVE-2020-29599, cf.
>https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
>.
Why is backtick in the whitelist?
>We follow here only what other distributions have done earlier, I
>believe SuSE has such and as well Ubuntu, from which the mentioned
>patch was actually merged in in the last update, TTBOMK.
Hope that helps,
MJR (mobile)
Ulrike Uhlig
Mar 2, 2021, 7:00:03 AM3/2/21
to
Hello!
As I ran into this issue I am giving here a short summary from what I
understand to avoid that others have to re-read everything again:
AFAIU, there are two issues, one is related to Ghostscript, and one to
ImageMagick itself.
Ghostscript
===========
According to https://www.kb.cert.org/vuls/id/332928/ the issue is
addressed in Ghostscript 9.24.
Except for Debian old-old-stable, Debian does ship versions above 9.24:
https://tracker.debian.org/pkg/ghostscript
ImageMagick
===========
Issue described here:
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
This is fixed in ImageMagick 6.9.11 and later, which is available in
Bullseye but not earlier versions of Debian.
Current status reflected there:
https://security-tracker.debian.org/tracker/CVE-2020-29599
- ulrike
As I ran into this issue I am giving here a short summary from what I
understand to avoid that others have to re-read everything again:
AFAIU, there are two issues, one is related to Ghostscript, and one to
ImageMagick itself.
Ghostscript
===========
According to https://www.kb.cert.org/vuls/id/332928/ the issue is
addressed in Ghostscript 9.24.
Except for Debian old-old-stable, Debian does ship versions above 9.24:
https://tracker.debian.org/pkg/ghostscript
ImageMagick
===========
Issue described here:
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
This is fixed in ImageMagick 6.9.11 and later, which is available in
Bullseye but not earlier versions of Debian.
Current status reflected there:
https://security-tracker.debian.org/tracker/CVE-2020-29599
- ulrike
Karl O. Pinc
Apr 26, 2021, 5:10:03 PM4/26/21
to
Hello,
According to the above, and all I've read, the
security issue that blocked operations on PDFs
is no longer present in bullseye. Not in
gs and not in imagemagick.
Unless there's some new security issue
please revert the patch and close this bug to
make functionality available.
Regards,
Karl <k...@karlpinc.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
According to the above, and all I've read, the
security issue that blocked operations on PDFs
is no longer present in bullseye. Not in
gs and not in imagemagick.
Unless there's some new security issue
please revert the patch and close this bug to
make functionality available.
Regards,
Karl <k...@karlpinc.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
Matthias Gies
Dec 23, 2021, 6:00:03 AM12/23/21
to
Package: imagemagick
Version: 8:6.9.11.60+dfsg-1.3
Followup-For: Bug #964090
X-Debbugs-Cc: matthi...@gmail.com
Dear Maintainer,
I am still running into this issue when using pdfsandwich to do automatic ocr
on my pdf files.
Since the security issues seem to be fixed, I would also appreciate allowing
editing of pdfs by default again.
Thanks for your efforts!
Regards from Germany,
MGies
-- Package-specific info:
ImageMagick program version
---------------------------
animate: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
compare: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
convert: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
composite: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
conjure: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
display: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
identify: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
import: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
mogrify: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
montage: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
stream: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-10-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages imagemagick depends on:
ii imagemagick-6.q16 8:6.9.11.60+dfsg-1.3
imagemagick recommends no packages.
imagemagick suggests no packages.
-- no debconf information
Version: 8:6.9.11.60+dfsg-1.3
Followup-For: Bug #964090
X-Debbugs-Cc: matthi...@gmail.com
Dear Maintainer,
I am still running into this issue when using pdfsandwich to do automatic ocr
on my pdf files.
Since the security issues seem to be fixed, I would also appreciate allowing
editing of pdfs by default again.
Thanks for your efforts!
Regards from Germany,
MGies
-- Package-specific info:
ImageMagick program version
---------------------------
animate: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
compare: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
convert: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
composite: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
conjure: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
display: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
identify: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
import: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
mogrify: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
montage: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
stream: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-10-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages imagemagick depends on:
ii imagemagick-6.q16 8:6.9.11.60+dfsg-1.3
imagemagick recommends no packages.
imagemagick suggests no packages.
-- no debconf information
Tim Connors
Jun 23, 2022, 9:50:03 AM6/23/22
to
Still getting this error in 2022, despite the bug having been closed years
ago, and having never existed in debian stable.
34710,4> mogrify -format pdf -- *png
mogrify-im6.q16: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/421.
This makes the package rather useless for the vast majority of uses, which
is converting trusted data. We're not all running public facing
webservers accepting unsanitised data from the public. Some of us use our
computers to do useful things too.
--
Tim Connors
ago, and having never existed in debian stable.
34710,4> mogrify -format pdf -- *png
mogrify-im6.q16: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/421.
This makes the package rather useless for the vast majority of uses, which
is converting trusted data. We're not all running public facing
webservers accepting unsanitised data from the public. Some of us use our
computers to do useful things too.
--
Tim Connors
0 new messages