8:6.8.9.9-7ubuntu5.13 breaks convert with no explanation

The package changelog mentions this:

* SECURITY UPDATE: code execution vulnerabilities in ghostscript as
  invoked by imagemagick
  - debian/patches/200-disable-ghostscript-formats.patch: disable
    ghostscript handled types by default in policy.xml

https://bugs.launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.13

Yeah, but it's not immediately obvious if you're not familiar with imagemagick internals (I certainly didn't know what policy.xml was), and it's part of 70 lines of changes.

Given this is flat out disabling a big chunk of functionality in something frequently used as part of other programs / scripts, in an LTS release, a mention in NEWS or README or something might be an idea. Or at least a more verbose changelog entry.

Is this the recommended long-term solution to whatever the underlying vulnerability is, or is it a stop-gap until something else - I assume ghostscript - is properly patched?

Status changed to 'Confirmed' because the bug affects multiple users.

I guess this shows that I suffer from the same issue when trying to convert image file(s) to pdf:

8:6.9.7.4+dfsg-16ubuntu6.4

convert-im6.q16: not authorized `filename.pdf' @ error/constitute.c/WriteImage/1037.

Sadi, if you're willing to take the risk, you can comment the appropriate line in /etc/ImageMagick-6/policy.xml ..

Here is an alternative to `convert document.pdf image.jpg`:

    pdftoppm -jpeg document.pdf image

Note: pdftoppm is coming from poppler-utils
Note: the generated output path is not 1:1 with convert, so adjust any scripts using it

Can someone suggest an alternative to the reverse operation, `convert image.jpg document.pdf`? Thanks!

img2pdf seem to do the job for the reverse operation nicely...

S.

Amir <email address hidden> wrote:
> Here is an alternative to `convert document.pdf image.jpg`:
>
> pdftoppm -jpeg document.pdf image
>
> Note: pdftoppm is coming from poppler-utils
> Note: the generated output path is not 1:1 with convert, so
> adjust any scripts using it
>
> Can someone suggest an alternative to the reverse operation,
> `convert image.jpg document.pdf`? Thanks!
>

For what it's worth, we ran into this issue today as well. It looks like the related Ghostscript vulnerability is detailed here: https://www.kb.cert.org/vuls/id/332928

While the release notes are not exactly *clear*, Ghostscript v9.25 seems to make reference to fixing some vulnerabilities of this sort: https://www.ghostscript.com/doc/9.25/News.htm

Just adding in this information in case it's helpful to others encountering this. I admit, I have no verification that Ghostscript v9.25 fixes the vulnerability. So, only comment out these new ImageMagick configurations at your own risk.

Hello,

I am running Ubuntu 18.04.2 LTS (bionic) with ghostcript version 9.26.

Per the document https://www.kb.cert.org/vuls/id/332928/, the vulnerability in question seems to have been fixed in version 9.24 itself.

Isn't it time to have the policy.xml changes adjusted and any other changes done as required so the 'convert (to PDF)' starts working as always?

I'm interested in doing the work and any related tests if availability is the only concern here. Would someone kindly guide me in that case?

Thanks,
Shashank

As a workaround, you can type this command (according to https://askubuntu.com/a/1175736/426176 , thanks to N0rbert from askubuntu) :

sudo sed -i 's#<policy domain="coder" rights="none" pattern="PDF" />#<policy domain="coder" rights="read|write" pattern="PDF" />#' /etc/ImageMagick-6/policy.xml