[Bug 1810517] Re: re-enable GhostScript in ImageMagick

[Seth Arnold]

The decision to modify the default ImageMagick policy to prevent calling
Ghostscript was not made on behalf of any single flaw. There are 50
Ghostscript CVEs allocated after this bug report was opened.

PostScript was not designed to handle malicious inputs. Ghostscript was
not designed to execute malicious inputs.

We believe we made the right choice for our users in setting the default
ImageMagick policy to prevent calling into the Ghostscript coders and do
not intend to revisit this decision soon.

A local site that has decided they would rather have the feature can re-
enable it themselves if they choose to do so. I strongly recommend using
AppArmor to confine all parts of the document processing pipeline --
there's been hundreds of CVEs between ImageMagick (603 in my database)
and Ghostscript (165 in my database).

This email from Tavis Ormandy provides excellent context:
https://www.openwall.com/lists/oss-security/2018/08/21/2

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/1810517

Title:
  re-enable GhostScript in ImageMagick

Status in imagemagick package in Ubuntu:
  Confirmed

Bug description:
  This security updated https://usn.ubuntu.com/3785-1/ added the
  following to /etc/ImageMagick-6/policy.xml

  <!-- disable ghostscript format types -->
  <policy domain="coder" rights="none" pattern="PS" />
  <policy domain="coder" rights="none" pattern="EPI" />
  <policy domain="coder" rights="none" pattern="PDF" />
  <policy domain="coder" rights="none" pattern="XPS" />

  This prevents from working with PDF, e.g. `convert file.pdf file.png`.
  It is a very common use case and is a suggested way to convert PDF to
  image on many websites, including ask.ubuntu.com

  I had to remove/comment those lines from /etc/ImageMagick-6/policy.xml
  to allow ImageMagick to work with PDF, otherwise it was:

  $ convert test1.pdf test1.png
  convert-im6.q16: not authorized `test1.pdf' @ error/constitute.c/ReadImage/412.
  convert-im6.q16: no images defined `test1.png' @ error/convert.c/ConvertImageCommand/3258.

  Can you please reenable GhostScript?
  I don't think that it is so insecure that so common use cases must be disabled, people, who do not read usn.ubuntu.com frequently, will not understand the error.

  Also, those security update disabled GhostScript on the fly; what if I
  used it on servers or for daily desktop tasks?

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: imagemagick 8:6.9.7.4+dfsg-16ubuntu6.4
  ProcVersionSignature: Ubuntu 4.15.0-43.46-generic 4.15.18
  Uname: Linux 4.15.0-43-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.5
  Architecture: amd64
  CurrentDesktop: XFCE
  Date: Fri Jan  4 15:43:09 2019
  InstallationDate: Installed on 2018-12-21 (13 days ago)
  InstallationMedia: Xubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725)
  SourcePackage: imagemagick
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1810517/+subscriptions