[gentoo-user] ...I not allowed to make pdfs from images??????

[gentoo-user] ...I not allowed to make pdfs from images??????

[tuxic]

Hi,

from some images I want to create a pdf.
I found this commandline to do so (imagemagick):
convert 1.png 2.ong 3.png result.pdf

If I do so I got this message:
convert: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/408.

What the heck...

How can I allow myself to work on my compyter ? ;)

Cheers!
Meino

Re: [gentoo-user] ...I not allowed to make pdfs from images??????

[Franz Fellner]

[-- Attachment #1: Type: text/plain, Size: 592 bytes --]

Check your /etc/ImageMagick-7/policy.xml
But be aware of the riscs, see the comment in the very same policy.xml file

Am Sa., 8. Dez. 2018 um 15:22 Uhr schrieb <tuxic@posteo.de>:

> Hi,
>
> from some images I want to create a pdf.
> I found this commandline to do so (imagemagick):
> convert 1.png 2.ong 3.png result.pdf
>
> If I do so I got this message:
> convert: attempt to perform an operation not allowed by the security
> policy `PDF' @ error/constitute.c/IsCoderAuthorized/408.
>
> What the heck...
>
> How can I allow myself to work on my compyter ? ;)
>
> Cheers!
> Meino
>
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 946 bytes --]

Re: [gentoo-user] ...I not allowed to make pdfs from images??????

[Mick]

[-- Attachment #1: Type: text/plain, Size: 546 bytes --]

On Saturday, 8 December 2018 13:36:04 GMT Franz Fellner wrote:
> Check your /etc/ImageMagick-7/policy.xml
> But be aware of the riscs, see the comment in the very same policy.xml file

As Franz mentioned there are ghostscript vulnerabilities you should be aware 
of, which are mitigated by the /etc/ImageMagick-7/policy.xml file.  
Temporarily you could change line 60 in this file from "none" to "read|write":

 <policy domain="coder" rights="read|write" pattern="PDF" />

Don't forget to revert it to "none" when you're done.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] ...I not allowed to make pdfs from images??????

[Francesco Turco]

On Sat, Dec 8, 2018, at 14:23, tuxic@posteo.de wrote:
> from some images I want to create a pdf.

I successfully use img2pdf: https://gitlab.mister-muffin.de/josch/img2pdf
It's also in the main Gentoo repository.

-- 
https://fturco.gitlab.io/

Re: [gentoo-user] ...I not allowed to make pdfs from images??????

[Marc Joliet]

[-- Attachment #1: Type: text/plain, Size: 1343 bytes --]

Am Samstag, 8. Dezember 2018, 14:36:04 CET schrieb Franz Fellner:
> Check your /etc/ImageMagick-7/policy.xml
> But be aware of the riscs, see the comment in the very same policy.xml file
> 
> Am Sa., 8. Dez. 2018 um 15:22 Uhr schrieb <tuxic@posteo.de>:
> > Hi,
> > 
> > from some images I want to create a pdf.
> > I found this commandline to do so (imagemagick):
> > convert 1.png 2.ong 3.png result.pdf
> > 
> > If I do so I got this message:
> > convert: attempt to perform an operation not allowed by the security
> > policy `PDF' @ error/constitute.c/IsCoderAuthorized/408.
> > 
> > What the heck...
> > 
> > How can I allow myself to work on my compyter ? ;)
> > 
> > Cheers!
> > Meino

FTR, this is mentioned in the emerge output when installing imagemagick.  From 
the 7.0.8.14 ebuild:

                elog "For security reasons, a policy.xml file was installed in 
/etc/
ImageMagick-7"
                elog "which will prevent the usage of the following coders by 
default:"
                elog ""
                elog "  - PS"
                elog "  - PS2"
                elog "  - PS3"
                elog "  - EPS"
                elog "  - PDF"
                elog "  - XPS"

Did it not show for you?

-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] ...I not allowed to make pdfs from images??????

[Philip Webb]

181208 Marc Joliet wrote:
> This is mentioned in the emerge output when installing imagemagick.
> From the 7.0.8.14 ebuild :
>   elog "For security reasons, a policy.xml file was installed in 
>   /etc/ImageMagick-7"
>   elog "which will prevent the usage of the following coders by default:"
>   elog ""
>   elog "  - PS"
>   elog "  - PS2"
>   elog "  - PS3"
>   elog "  - EPS"
>   elog "  - PDF"
>   elog "  - XPS"

What exactly are the "security reasons" ?
Do they apply to a single-user system ? -- if not,
why is the restrictive version of the policy file installed by default
rather than a warning at the end of the emerge output ?

-- 
========================,,============================================
SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatchassdotutorontodotca

Re: [gentoo-user] ...I not allowed to make pdfs from images??????

[Marc Joliet]

[-- Attachment #1: Type: text/plain, Size: 1321 bytes --]

Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb:
> 181208 Marc Joliet wrote:
> > This is mentioned in the emerge output when installing imagemagick.
> > 
> > From the 7.0.8.14 ebuild :
> >   elog "For security reasons, a policy.xml file was installed in
> >   /etc/ImageMagick-7"
> >   elog "which will prevent the usage of the following coders by default:"
> >   elog ""
> >   elog "  - PS"
> >   elog "  - PS2"
> >   elog "  - PS3"
> >   elog "  - EPS"
> >   elog "  - PDF"
> >   elog "  - XPS"
> 
> What exactly are the "security reasons" ?
> Do they apply to a single-user system ? -- if not,
> why is the restrictive version of the policy file installed by default
> rather than a warning at the end of the emerge output ?

Good question.  Checking the git log, the change was mode over two commits:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?
id=02765dfc333e578af9e3fd525fc0067dc47d6528
https://gitweb.gentoo.org/repo/gentoo.git/commit/?
id=df7afbda6b12a68578833225e694cee011b20342

The commit messages point to https://www.kb.cert.org/vuls/id/332928/ and 
https://bugs.gentoo.org/664236, which basically explain in more detail what 
Mick already summarized yesterday.

-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] ...I not allowed to make pdfs from images??????

[Philip Webb]

181209 Marc Joliet wrote:
> Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb:
>> What exactly are the "security reasons" ?
>> Do they apply to a single-user system ? -- if not,
>> why is the restrictive version of the policy file installed by default
>> rather than a warning at the end of the emerge output ?
> Good question.  Checking the git log, the change was mode over two commits:
> https://gitweb.gentoo.org/repo/gentoo.git/commit/?
> id=02765dfc333e578af9e3fd525fc0067dc47d6528
> https://gitweb.gentoo.org/repo/gentoo.git/commit/?
> id=df7afbda6b12a68578833225e694cee011b20342
> The commit messages point to https://www.kb.cert.org/vuls/id/332928/
> and https://bugs.gentoo.org/664236,
> which basically explain in more detail what Mick summarized yesterday.

It looks to me like an over-reaction to a fairly unlikely exploit.
You are protected if you don't download images from untrusted sites
or if you don't run Ghostscript as root (who would ? ).

It's true that you can use 'img2pdf' instead, which is perhaps the solution.

-- 
========================,,============================================
SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatchassdotutorontodotca

Re: [gentoo-user] ...I not allowed to make pdfs from images??????

[Arve Barsnes]

On Sun, 9 Dec 2018 at 16:46, Philip Webb <purslow@ca.inter.net> wrote:
>
> 181209 Marc Joliet wrote:
> > Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb:
> >> What exactly are the "security reasons" ?
> >> Do they apply to a single-user system ? -- if not,
> >> why is the restrictive version of the policy file installed by default
> >> rather than a warning at the end of the emerge output ?
> > Good question.  Checking the git log, the change was mode over two commits:
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/?
> > id=02765dfc333e578af9e3fd525fc0067dc47d6528
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/?
> > id=df7afbda6b12a68578833225e694cee011b20342
> > The commit messages point to https://www.kb.cert.org/vuls/id/332928/
> > and https://bugs.gentoo.org/664236,
> > which basically explain in more detail what Mick summarized yesterday.
>
> It looks to me like an over-reaction to a fairly unlikely exploit.
> You are protected if you don't download images from untrusted sites
> or if you don't run Ghostscript as root (who would ? ).
>
> It's true that you can use 'img2pdf' instead, which is perhaps the solution.

More important than that, it seems the vulnerability is in
ghostscript, and the vulnerable versions are not any longer even in
portage, so shouldn't the change have been reverted by now?

Arve

Re: [gentoo-user] ...I not allowed to make pdfs from images??????

[Marc Joliet]

[-- Attachment #1: Type: text/plain, Size: 1387 bytes --]

Am Sonntag, 9. Dezember 2018, 16:46:39 CET schrieb Philip Webb:
> 181209 Marc Joliet wrote:
> > Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb:
> >> What exactly are the "security reasons" ?
> >> Do they apply to a single-user system ? -- if not,
> >> why is the restrictive version of the policy file installed by default
> >> rather than a warning at the end of the emerge output ?
> > 
> > Good question.  Checking the git log, the change was mode over two
> > commits:
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/?
> > id=02765dfc333e578af9e3fd525fc0067dc47d6528
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/?
> > id=df7afbda6b12a68578833225e694cee011b20342
> > The commit messages point to https://www.kb.cert.org/vuls/id/332928/
> > and https://bugs.gentoo.org/664236,
> > which basically explain in more detail what Mick summarized yesterday.
> 
> It looks to me like an over-reaction to a fairly unlikely exploit.
> You are protected if you don't download images from untrusted sites
> or if you don't run Ghostscript as root (who would ? ).

A remote code execution vulnerability is problematic even when "merely" 
executed as your own user.  I don't understand why you would think that it 
only matters when run as root.

-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] ...I not allowed to make pdfs from images??????

[Marc Joliet]

[-- Attachment #1: Type: text/plain, Size: 423 bytes --]

Am Sonntag, 9. Dezember 2018, 18:03:35 CET schrieb Arve Barsnes:
[...]
> More important than that, it seems the vulnerability is in
> ghostscript, and the vulnerable versions are not any longer even in
> portage, so shouldn't the change have been reverted by now?

https://bugs.gentoo.org/664236#c10

-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]