...I not allowed to make pdfs from images??????

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

...I not allowed to make pdfs from images??????

tuxic
Hi,

from some images I want to create a pdf.
I found this commandline to do so (imagemagick):
convert 1.png 2.ong 3.png result.pdf

If I do so I got this message:
convert: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/408.

What the heck...

How can I allow myself to work on my compyter ? ;)

Cheers!
Meino




Reply | Threaded
Open this post in threaded view
|

Re: ...I not allowed to make pdfs from images??????

Franz Fellner
Check your /etc/ImageMagick-7/policy.xml
But be aware of the riscs, see the comment in the very same policy.xml file

Am Sa., 8. Dez. 2018 um 15:22 Uhr schrieb <[hidden email]>:
Hi,

from some images I want to create a pdf.
I found this commandline to do so (imagemagick):
convert 1.png 2.ong 3.png result.pdf

If I do so I got this message:
convert: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/408.

What the heck...

How can I allow myself to work on my compyter ? ;)

Cheers!
Meino




Reply | Threaded
Open this post in threaded view
|

Re: ...I not allowed to make pdfs from images??????

Mick-10
On Saturday, 8 December 2018 13:36:04 GMT Franz Fellner wrote:
> Check your /etc/ImageMagick-7/policy.xml
> But be aware of the riscs, see the comment in the very same policy.xml file

As Franz mentioned there are ghostscript vulnerabilities you should be aware
of, which are mitigated by the /etc/ImageMagick-7/policy.xml file.  
Temporarily you could change line 60 in this file from "none" to "read|write":

 <policy domain="coder" rights="read|write" pattern="PDF" />

Don't forget to revert it to "none" when you're done.

--
Regards,
Mick

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ...I not allowed to make pdfs from images??????

Francesco Turco
In reply to this post by tuxic
On Sat, Dec 8, 2018, at 14:23, [hidden email] wrote:
> from some images I want to create a pdf.

I successfully use img2pdf: https://gitlab.mister-muffin.de/josch/img2pdf
It's also in the main Gentoo repository.

--
https://fturco.gitlab.io/

Reply | Threaded
Open this post in threaded view
|

Re: ...I not allowed to make pdfs from images??????

Marc Joliet
In reply to this post by Franz Fellner
Am Samstag, 8. Dezember 2018, 14:36:04 CET schrieb Franz Fellner:

> Check your /etc/ImageMagick-7/policy.xml
> But be aware of the riscs, see the comment in the very same policy.xml file
>
> Am Sa., 8. Dez. 2018 um 15:22 Uhr schrieb <[hidden email]>:
> > Hi,
> >
> > from some images I want to create a pdf.
> > I found this commandline to do so (imagemagick):
> > convert 1.png 2.ong 3.png result.pdf
> >
> > If I do so I got this message:
> > convert: attempt to perform an operation not allowed by the security
> > policy `PDF' @ error/constitute.c/IsCoderAuthorized/408.
> >
> > What the heck...
> >
> > How can I allow myself to work on my compyter ? ;)
> >
> > Cheers!
> > Meino
FTR, this is mentioned in the emerge output when installing imagemagick.  From
the 7.0.8.14 ebuild:

                elog "For security reasons, a policy.xml file was installed in
/etc/
ImageMagick-7"
                elog "which will prevent the usage of the following coders by
default:"
                elog ""
                elog "  - PS"
                elog "  - PS2"
                elog "  - PS3"
                elog "  - EPS"
                elog "  - PDF"
                elog "  - XPS"

Did it not show for you?

--
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ...I not allowed to make pdfs from images??????

Philip Webb-2
181208 Marc Joliet wrote:

> This is mentioned in the emerge output when installing imagemagick.
> From the 7.0.8.14 ebuild :
>   elog "For security reasons, a policy.xml file was installed in
>   /etc/ImageMagick-7"
>   elog "which will prevent the usage of the following coders by default:"
>   elog ""
>   elog "  - PS"
>   elog "  - PS2"
>   elog "  - PS3"
>   elog "  - EPS"
>   elog "  - PDF"
>   elog "  - XPS"

What exactly are the "security reasons" ?
Do they apply to a single-user system ? -- if not,
why is the restrictive version of the policy file installed by default
rather than a warning at the end of the emerge output ?

--
========================,,============================================
SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatchassdotutorontodotca


Reply | Threaded
Open this post in threaded view
|

Re: ...I not allowed to make pdfs from images??????

Marc Joliet
Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb:

> 181208 Marc Joliet wrote:
> > This is mentioned in the emerge output when installing imagemagick.
> >
> > From the 7.0.8.14 ebuild :
> >   elog "For security reasons, a policy.xml file was installed in
> >   /etc/ImageMagick-7"
> >   elog "which will prevent the usage of the following coders by default:"
> >   elog ""
> >   elog "  - PS"
> >   elog "  - PS2"
> >   elog "  - PS3"
> >   elog "  - EPS"
> >   elog "  - PDF"
> >   elog "  - XPS"
>
> What exactly are the "security reasons" ?
> Do they apply to a single-user system ? -- if not,
> why is the restrictive version of the policy file installed by default
> rather than a warning at the end of the emerge output ?
Good question.  Checking the git log, the change was mode over two commits:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?
id=02765dfc333e578af9e3fd525fc0067dc47d6528
https://gitweb.gentoo.org/repo/gentoo.git/commit/?
id=df7afbda6b12a68578833225e694cee011b20342

The commit messages point to https://www.kb.cert.org/vuls/id/332928/ and
https://bugs.gentoo.org/664236, which basically explain in more detail what
Mick already summarized yesterday.

--
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ...I not allowed to make pdfs from images??????

Philip Webb-2
181209 Marc Joliet wrote:

> Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb:
>> What exactly are the "security reasons" ?
>> Do they apply to a single-user system ? -- if not,
>> why is the restrictive version of the policy file installed by default
>> rather than a warning at the end of the emerge output ?
> Good question.  Checking the git log, the change was mode over two commits:
> https://gitweb.gentoo.org/repo/gentoo.git/commit/?
> id=02765dfc333e578af9e3fd525fc0067dc47d6528
> https://gitweb.gentoo.org/repo/gentoo.git/commit/?
> id=df7afbda6b12a68578833225e694cee011b20342
> The commit messages point to https://www.kb.cert.org/vuls/id/332928/
> and https://bugs.gentoo.org/664236,
> which basically explain in more detail what Mick summarized yesterday.

It looks to me like an over-reaction to a fairly unlikely exploit.
You are protected if you don't download images from untrusted sites
or if you don't run Ghostscript as root (who would ? ).

It's true that you can use 'img2pdf' instead, which is perhaps the solution.

--
========================,,============================================
SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatchassdotutorontodotca


Reply | Threaded
Open this post in threaded view
|

Re: ...I not allowed to make pdfs from images??????

Arve Barsnes
On Sun, 9 Dec 2018 at 16:46, Philip Webb <[hidden email]> wrote:

>
> 181209 Marc Joliet wrote:
> > Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb:
> >> What exactly are the "security reasons" ?
> >> Do they apply to a single-user system ? -- if not,
> >> why is the restrictive version of the policy file installed by default
> >> rather than a warning at the end of the emerge output ?
> > Good question.  Checking the git log, the change was mode over two commits:
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/?
> > id=02765dfc333e578af9e3fd525fc0067dc47d6528
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/?
> > id=df7afbda6b12a68578833225e694cee011b20342
> > The commit messages point to https://www.kb.cert.org/vuls/id/332928/
> > and https://bugs.gentoo.org/664236,
> > which basically explain in more detail what Mick summarized yesterday.
>
> It looks to me like an over-reaction to a fairly unlikely exploit.
> You are protected if you don't download images from untrusted sites
> or if you don't run Ghostscript as root (who would ? ).
>
> It's true that you can use 'img2pdf' instead, which is perhaps the solution.

More important than that, it seems the vulnerability is in
ghostscript, and the vulnerable versions are not any longer even in
portage, so shouldn't the change have been reverted by now?

Arve

Reply | Threaded
Open this post in threaded view
|

Re: ...I not allowed to make pdfs from images??????

Marc Joliet
In reply to this post by Philip Webb-2
Am Sonntag, 9. Dezember 2018, 16:46:39 CET schrieb Philip Webb:

> 181209 Marc Joliet wrote:
> > Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb:
> >> What exactly are the "security reasons" ?
> >> Do they apply to a single-user system ? -- if not,
> >> why is the restrictive version of the policy file installed by default
> >> rather than a warning at the end of the emerge output ?
> >
> > Good question.  Checking the git log, the change was mode over two
> > commits:
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/?
> > id=02765dfc333e578af9e3fd525fc0067dc47d6528
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/?
> > id=df7afbda6b12a68578833225e694cee011b20342
> > The commit messages point to https://www.kb.cert.org/vuls/id/332928/
> > and https://bugs.gentoo.org/664236,
> > which basically explain in more detail what Mick summarized yesterday.
>
> It looks to me like an over-reaction to a fairly unlikely exploit.
> You are protected if you don't download images from untrusted sites
> or if you don't run Ghostscript as root (who would ? ).
A remote code execution vulnerability is problematic even when "merely"
executed as your own user.  I don't understand why you would think that it
only matters when run as root.

--
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ...I not allowed to make pdfs from images??????

Marc Joliet
In reply to this post by Arve Barsnes
Am Sonntag, 9. Dezember 2018, 18:03:35 CET schrieb Arve Barsnes:
[...]
> More important than that, it seems the vulnerability is in
> ghostscript, and the vulnerable versions are not any longer even in
> portage, so shouldn't the change have been reverted by now?

https://bugs.gentoo.org/664236#c10

--
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

signature.asc (849 bytes) Download Attachment