There was some discussion here on #ubuntu-hardened, pasted below.
Conclusion: we should resolve this by disabling PostScript documentation
for now.
14:34 mdeslaur: your security upload of imagemagick
(8:6.9.10.23+dfsg-2.1ubuntu3) is causing kannel to FTBFS when it builds
Arch: all (so amd64) because the build process uses convert to generate
PostScript and the security policy now blocks that. Any advice on how to
proceed please?
14:34 Is it acceptable to hack that during the build, for
example?
14:35 Debian unstable doesn't have the same issue. I'm not sure
if that means they resolved it differently, chose not to block by
policy, or something else.
14:37 I don't see any change for the same issue in Debian, nor
a CVE for Ubuntu, so not sure why it's being done in Ubuntu (obviously
for security, but I mean more specifically)
14:39 upstream imagemagick disabled postscript by default in
new versions, and that approach is recommended because of all the code
execution issues with postscript
14:39 rbasak: why is the kernel generating postscript? for
documentation?
14:40 Yes - I believe for docs.
14:40 Not kernel. kannel
14:40 oh, misread, one sec
14:40 AFAICT it isn't possible to override except by changing
/etc, by design, so I'd need root in the build.
14:40 (so awkward)
14:42 there's no reason kannel needs documentation in 4
different formats, my advice would be to stop generating anything other
than the html format
14:42 I'd have to maintain a delta in Ubuntu for that - it's
not an issue for Debian seemingly.
14:42 Is that something that, wearing your Ubuntu Security Team
hat, you think is justified to maintain a delta for?
14:43 definitely
14:43 OK
14:43 having the desktop automatically execute code embedded
in postscript files to generate thumbnails is crazy
14:43 Sure, I get that.
14:43 Though this case is the opposite
14:43 /usr/bin/convert doc/alligata/12-5.png
doc/alligata/12-5.ps
14:44 png -> ps should be safe.
14:44 yeah, unfortunately imagemagick doesn't allow disable
only reading
14:44 Separately, you might consider everything done in package
builds to be safe, if it's OK to assume trusted inputs in that case (and
builds are reasonably sandboxed).
14:45 What if, for example, we added a package that provides an
override for policy.xml, and build-depended on that?
14:45 Though that would still have to be a delta, it'd be
cleaner.
14:46 Users might install that package to work around though,
so I can see an argument that it would be dangerous.
14:48 let me think about this a minute
14:50 Sure, thanks
15:02 rbasak: ok, I still think disabling all the generated
documentation beside html is the best approach to this issue.
imagemagick 7 disables ps/pdf by default so this problem is going to
happen in debian at some point too, and there doesn't seem to be a way
to override the security policy with a command line
15:03 mdeslaur: you don't like a dpkg-override via an extra
build-depends?
15:03 It would probably be worth looking into a better
solution if this impacted a bunch of packages, but kannel is the only
one I'm aware of at the moment
15:03 Oh, dpkg-divert.
15:03 OK.
15:03 I'll add a delta just disabling the .ps generation for
now. Thanks!
15:04 thanks rbasak, sorry for the trouble
15:04 No problem. The root cause is entirely reasonable. Just
an unfortunate interaction further down the road :)
15:05 yeah
** Changed in: kannel (Ubuntu)
Status: New => Triaged
** Changed in: kannel (Ubuntu)
Assignee: (unassigned) => Robie Basak (racb)
** Changed in: kannel (Ubuntu)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1838425
Title:
FTBFS: attempt to perform an operation not allowed by the security
policy `PS'
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kannel/+bug/1838425/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
