There was some discussion here on #ubuntu-hardened, pasted below. Conclusion: we should resolve this by disabling PostScript documentation for now.
14:34 <rbasak> mdeslaur: your security upload of imagemagick (8:6.9.10.23+dfsg-2.1ubuntu3) is causing kannel to FTBFS when it builds Arch: all (so amd64) because the build process uses convert to generate PostScript and the security policy now blocks that. Any advice on how to proceed please? 14:34 <rbasak> Is it acceptable to hack that during the build, for example? 14:35 <rbasak> Debian unstable doesn't have the same issue. I'm not sure if that means they resolved it differently, chose not to block by policy, or something else. 14:37 <rbasak> I don't see any change for the same issue in Debian, nor a CVE for Ubuntu, so not sure why it's being done in Ubuntu (obviously for security, but I mean more specifically) 14:39 <mdeslaur> upstream imagemagick disabled postscript by default in new versions, and that approach is recommended because of all the code execution issues with postscript 14:39 <mdeslaur> rbasak: why is the kernel generating postscript? for documentation? 14:40 <rbasak> Yes - I believe for docs. 14:40 <rbasak> Not kernel. kannel 14:40 <mdeslaur> oh, misread, one sec 14:40 <rbasak> AFAICT it isn't possible to override except by changing /etc, by design, so I'd need root in the build. 14:40 <rbasak> (so awkward) 14:42 <mdeslaur> there's no reason kannel needs documentation in 4 different formats, my advice would be to stop generating anything other than the html format 14:42 <rbasak> I'd have to maintain a delta in Ubuntu for that - it's not an issue for Debian seemingly. 14:42 <rbasak> Is that something that, wearing your Ubuntu Security Team hat, you think is justified to maintain a delta for? 14:43 <mdeslaur> definitely 14:43 <rbasak> OK 14:43 <mdeslaur> having the desktop automatically execute code embedded in postscript files to generate thumbnails is crazy 14:43 <rbasak> Sure, I get that. 14:43 <rbasak> Though this case is the opposite 14:43 <rbasak> /usr/bin/convert doc/alligata/12-5.png doc/alligata/12-5.ps 14:44 <rbasak> png -> ps should be safe. 14:44 <mdeslaur> yeah, unfortunately imagemagick doesn't allow disable only reading 14:44 <rbasak> Separately, you might consider everything done in package builds to be safe, if it's OK to assume trusted inputs in that case (and builds are reasonably sandboxed). 14:45 <rbasak> What if, for example, we added a package that provides an override for policy.xml, and build-depended on that? 14:45 <rbasak> Though that would still have to be a delta, it'd be cleaner. 14:46 <rbasak> Users might install that package to work around though, so I can see an argument that it would be dangerous. 14:48 <mdeslaur> let me think about this a minute 14:50 <rbasak> Sure, thanks 15:02 <mdeslaur> rbasak: ok, I still think disabling all the generated documentation beside html is the best approach to this issue. imagemagick 7 disables ps/pdf by default so this problem is going to happen in debian at some point too, and there doesn't seem to be a way to override the security policy with a command line 15:03 <rbasak> mdeslaur: you don't like a dpkg-override via an extra build-depends? 15:03 <mdeslaur> It would probably be worth looking into a better solution if this impacted a bunch of packages, but kannel is the only one I'm aware of at the moment 15:03 <rbasak> Oh, dpkg-divert. 15:03 <rbasak> OK. 15:03 <rbasak> I'll add a delta just disabling the .ps generation for now. Thanks! 15:04 <mdeslaur> thanks rbasak, sorry for the trouble 15:04 <rbasak> No problem. The root cause is entirely reasonable. Just an unfortunate interaction further down the road :) 15:05 <mdeslaur> yeah ** Changed in: kannel (Ubuntu) Status: New => Triaged ** Changed in: kannel (Ubuntu) Assignee: (unassigned) => Robie Basak (racb) ** Changed in: kannel (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838425 Title: FTBFS: attempt to perform an operation not allowed by the security policy `PS' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kannel/+bug/1838425/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs