[Bug 1810517] Re: re-enable GhostScript in ImageMagick
** Changed in: imagemagick (Ubuntu) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1810517 Title: re-enable GhostScript in ImageMagick To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1810517/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1810517] Re: re-enable GhostScript in ImageMagick
Thanks for the context! It makes sense. Can someone with adequate rights please mark this as Won't Fix, to close the report? Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1810517 Title: re-enable GhostScript in ImageMagick To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1810517/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1810517] Re: re-enable GhostScript in ImageMagick
The decision to modify the default ImageMagick policy to prevent calling Ghostscript was not made on behalf of any single flaw. There are 50 Ghostscript CVEs allocated after this bug report was opened. PostScript was not designed to handle malicious inputs. Ghostscript was not designed to execute malicious inputs. We believe we made the right choice for our users in setting the default ImageMagick policy to prevent calling into the Ghostscript coders and do not intend to revisit this decision soon. A local site that has decided they would rather have the feature can re- enable it themselves if they choose to do so. I strongly recommend using AppArmor to confine all parts of the document processing pipeline -- there's been hundreds of CVEs between ImageMagick (603 in my database) and Ghostscript (165 in my database). This email from Tavis Ormandy provides excellent context: https://www.openwall.com/lists/oss-security/2018/08/21/2 Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1810517 Title: re-enable GhostScript in ImageMagick To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1810517/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1810517] Re: re-enable GhostScript in ImageMagick
Although the security vulnerability in GhostScript that led to this restriction on converting to and from PostScript and PDF has been addressed in version 9.24, this restriction remains in place in at least Ubuntu and Gentoo, and an attempt to remove it in Gentoo has been stopped, apparently out of an abundance of caution: https://bugs.gentoo.org/716674. Perhaps the Ubuntu Security Team could investigate and weigh in? It looks like a problem for them. The vulnerability concerned the execution of code embedded in PostScript and PDF files when they are read in, for instance after they are uploaded to a web server configured to process them with GhostScript (directly or indirectly, as in the use case where they are converted to image files through ImageMagick). If still unsafe to lift this restriction, perhaps writing to PostScript and PDF could be allowed (using rights="write" in /etc/ImageMagick-6/policy.xml), as the vulnerability only concerned reading, if I understand correctly. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1810517 Title: re-enable GhostScript in ImageMagick To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1810517/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1810517] Re: re-enable GhostScript in ImageMagick
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1810517 Title: re-enable GhostScript in ImageMagick To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1810517/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1810517] Re: re-enable GhostScript in ImageMagick
In ubuntu 20.04, ghostscript is at 9.50 (as shown by $ gs--version) The bug for which the policy workaround was implemented was fixed in gs version 9.24 as per https://www.kb.cert.org/vuls/id/332928/ So, kindly remove ghostscript policy based mitigations. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1810517 Title: re-enable GhostScript in ImageMagick To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1810517/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1810517] Re: re-enable GhostScript in ImageMagick
The underlying security issue has been fixed many years ago: https://www.kb.cert.org/vuls/id/332928/ This workaround must be removed yesterday. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1810517 Title: re-enable GhostScript in ImageMagick To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1810517/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1810517] Re: re-enable GhostScript in ImageMagick
I have the same errors: (Ubuntu 18.04) -- akem@akem-HP:~$ convert 3.jpg 3.ps convert-im6.q16: not authorized `3.ps' @ error/constitute.c/WriteImage/1037. -- Commenting out the lines you stated in /etc/ImageMagick-6/policy.xml fixed the problem for me. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1810517 Title: re-enable GhostScript in ImageMagick To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1810517/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1810517] Re: re-enable GhostScript in ImageMagick
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: imagemagick (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1810517 Title: re-enable GhostScript in ImageMagick To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1810517/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs