#964090 Error when converting from "jpg" to "pdf" since security upgrade "8:6.9.10.23+dfsg-2.1+deb10u1"

Package:
imagemagick
Source:
imagemagick
Description:
image manipulation programs -- binaries
Submitter:
Alex ARNAUD
Date:
2022-06-23 13:48:03 UTC
Severity:
important
Tags:
#964090#5
Date:
2020-07-01 15:21:17 UTC
From:
To:
Hello,

Since the upgrade from imagemagick from "8:6.9.10.23+dfsg-2.1" to
"8:6.9.10.23+dfsg-2.1+deb10u1" I obtain an error when converting an
image from jpg to pdf.

I execute the following command-line:

And I obtain the following error:

It makes the program I use to read my mail through OCR (I'm
visual-impaired) failed at the mentioned command. I was forced to
downgrade to make it working again.

Best regards,
Alex.

#964090#10
Date:
2020-07-05 15:25:50 UTC
From:
To:
Hello,

I found that I had to comment the following line inside
/etc/ImageMagick-6/policy.xml to make image->PDF conversion work again:

<policy domain="coder" rights="none" pattern="PDF" />

Is this because of a ghostscript vulnerability? Could this please be
re-enabled as soon as that issue is fixed, and I also suggest
mentioning it in the NEWS file for imagemagick. I guess the possible
risk of attack is very different between web servers and untrusted
input, and desktop users?

Thank you,
Viktor.

#964090#17
Date:
2020-07-25 18:25:49 UTC
From:
To:
Additional information from upstream at
https://imagemagick.org/discourse-server/viewtopic.php?t=36287
suggests it was disabled because of something in ghostscript 9.26

I think buster already has 9.27 from security so I think we could update
the imagemagick default configuration. Is there good reason not to?

Thanks,

#964090#22
Date:
2020-10-07 20:15:23 UTC
From:
To:
Hi,

The PDF policy restriction is also in effect on Debian stable even
though that release ships with Ghostscript 9.27, which online sources
suggest is safe. [1]

Converting images to PDF is a very common functionality. Please
provide a backport with the attached patch, or similar. Thanks!

Kind regards
Felix Lechner

[1] https://stackoverflow.com/questions/52998331/imagemagick-security-policy-pdf-blocking-conversion

#964090#31
Date:
2020-12-10 11:28:48 UTC
From:
To:
Another package negatively affected with the current restrictions
is lyx - see bugs 911236 and 975678.

PDF and EPS coders need to be allowed for normal functionality.

Pavel

#964090#36
Date:
2020-12-13 20:19:42 UTC
From:
To:
Hi,

Cc'in the security-team alias.

It is actually unlikely for the moment that we will revert the
200-disable-ghostscript-formats.patch patch again, which was firstly
included in the 8:6.9.10.23+dfsg-2.1+deb10u1 upload. It does mitigates
in general problems with the ghostscript handled formats, e.g. the
(new) CVE-2020-29599, cf.
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
.

We follow here only what other distributions have done earlier, I
believe SuSE has such and as well Ubuntu, from which the mentioned
patch was actually merged in in the last update, TTBOMK.

Regards,
Salvatore

#964090#41
Date:
2020-12-15 09:32:25 UTC
From:
To:
Hi,

I agree with salvatore, that in general disabling pdf is the safer solution.

I am slowly recovering from work debt due to covid  19 lockdown in
France (i was locked down three month, and I could only work by night
for payjob so debian work was not done), but I will accept patch.

The solution of this tradeoff problem is a debconf question. I will accept patch

Bastien

#964090#46
Date:
2020-12-15 11:20:52 UTC
From:
To:
Yeah, this was intentionally, but I missed an entry for this in debian/changelog.

I don't think we need debconf here, policy.xml is a conffile, which can be edited locally
if one accepts the risk or uses Ghostscript with trusted input only.

Cheers,
        Moritz

#964090#51
Date:
2020-12-15 12:27:02 UTC
From:
To:
Does this only affect ghostscript or any action involving external commands?

Why is backtick in the whitelist?

I don't feel that is a great reason. We wouldn't have debs and so on if it was generally applicable.

Hope that helps,
MJR (mobile)

#964090#56
Date:
2021-03-02 11:42:30 UTC
From:
To:
Hello!

As I ran into this issue I am giving here a short summary from what I
understand to avoid that others have to re-read everything again:

AFAIU, there are two issues, one is related to Ghostscript, and one to
ImageMagick itself.

Ghostscript
===========

According to https://www.kb.cert.org/vuls/id/332928/ the issue is
addressed in Ghostscript 9.24.

Except for Debian old-old-stable, Debian does ship versions above 9.24:
https://tracker.debian.org/pkg/ghostscript

ImageMagick
===========

Issue described here:
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html

This is fixed in ImageMagick 6.9.11 and later, which is available in
Bullseye but not earlier versions of Debian.

Current status reflected there:
https://security-tracker.debian.org/tracker/CVE-2020-29599


  - ulrike

#964090#61
Date:
2021-04-26 20:51:11 UTC
From:
To:
Hello,

According to the above, and all I've read, the
security issue that blocked operations on PDFs
is no longer present in bullseye.  Not in
gs and not in imagemagick.

Unless there's some new security issue
please revert the patch and close this bug to
make functionality available.

Regards,

Karl <kop@karlpinc.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

#964090#66
Date:
2021-12-23 10:55:40 UTC
From:
To:
Dear Maintainer,

I am still running into this issue when using pdfsandwich to do automatic ocr
on my pdf files.

Since the security issues seem to be fixed, I would also appreciate allowing
editing of pdfs by default again.

Thanks for your efforts!

Regards from Germany,
MGies

#964090#71
Date:
2022-06-23 13:44:17 UTC
From:
To:
Still getting this error in 2022, despite the bug having been closed years
ago, and having never existed in debian stable.

34710,4> mogrify -format pdf -- *png
mogrify-im6.q16: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/421.


This makes the package rather useless for the vast majority of uses, which
is converting trusted data.  We're not all running public facing
webservers accepting unsanitised data from the public.  Some of us use our
computers to do useful things too.