Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 716674 - media-gfx/imagemagick: hardening policy is wrong
Summary: media-gfx/imagemagick: hardening policy is wrong
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Codec Project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-08 09:47 UTC by Pacho Ramos
Modified: 2022-04-04 10:06 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Pacho Ramos gentoo-dev 2020-04-08 09:47:52 UTC
Long time ago a policy preventing conversion from pdf and ps was added to mitigate bug 664236 , but that bug was fixed in ghostscript and the versions in the tree are fixed too. I also see other main distributions like Fedora are not applying that policy anymore.

Can we then remove the policy then? 

Thanks
Comment 1 Larry the Git Cow gentoo-dev 2020-04-22 22:43:17 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=de5c671284e02c5ce6c55e911925fbed54bb3bf4

commit de5c671284e02c5ce6c55e911925fbed54bb3bf4
Author:     Pacho Ramos <pacho@gentoo.org>
AuthorDate: 2020-04-22 22:37:53 +0000
Commit:     Pacho Ramos <pacho@gentoo.org>
CommitDate: 2020-04-22 22:43:10 +0000

    media-gfx/imagemagick: Bump to 7.0.10.3
    
    Also hardening is not needed for a long time
    
    Closes: https://bugs.gentoo.org/716674
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Pacho Ramos <pacho@gentoo.org>

 media-gfx/imagemagick/Manifest                    |   1 +
 media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild | 225 ++++++++++++++++++++++
 2 files changed, 226 insertions(+)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a16dd0232d57a8b29eabb27a2afb0ae8c20a02fe

commit a16dd0232d57a8b29eabb27a2afb0ae8c20a02fe
Author:     Pacho Ramos <pacho@gentoo.org>
AuthorDate: 2020-04-22 22:33:23 +0000
Commit:     Pacho Ramos <pacho@gentoo.org>
CommitDate: 2020-04-22 22:43:08 +0000

    media-gfx/imagemagick: Hardening is not needed for a long time
    
    Bug: https://bugs.gentoo.org/716674
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Pacho Ramos <pacho@gentoo.org>

 media-gfx/imagemagick/imagemagick-9999.ebuild | 42 ---------------------------
 1 file changed, 42 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2020-04-24 09:51:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c03d5059039c5b0f43c019edfb541ae396162e6f

commit c03d5059039c5b0f43c019edfb541ae396162e6f
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-04-24 09:48:20 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-04-24 09:49:50 +0000

    media-gfx/imagemagick: restore hardening
    
    Bug: https://bugs.gentoo.org/716674
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 ....10.7.ebuild => imagemagick-7.0.10.7-r1.ebuild} | 42 ++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 3 Thomas Deutschmann gentoo-dev 2020-04-24 09:58:17 UTC
I had to revert this. Please talk to security project next time you are going to revert things like that:

While the original vulnerability in ghostscript was fixed in the meanwhile, several similar vulnerabilities in ghostscript were found. In short: ghostscript stays a security risk. The feature will never be safe.

Any user of imagemagick who does not care can easily install an own policy file for imagemagick, which will overwrite default policy. But for all the other people, we will keep those features disabled by default.

Keep in mind: Imagine you are operating a nextcloud instance. You have imagemagick installed for some other reason on the same server. Without that policy, any user who can upload PDFs to your instance could trigger a remote code execution. So you really should opt-in for that.
Comment 4 Pacho Ramos gentoo-dev 2020-04-25 08:15:01 UTC
I would then at least explain this in the original bug 664236 , because it seems most other distributions are not being so strict . That is the reason I also went ahead as it seems we are being stricter than others (and unconditionally, not even allowing to switch this via a USE flag)
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-01-26 07:31:47 UTC
There are actually multiple problems with the current solution, and I'd like to see at least some of them addressed:

1. The installed policy currently references a vulnerability long resolved.  This is confusing to users.  If the policy is supposed to still applied based on other rationale, the comments need to be updated.

2. Why is the policy blocking converting other formats to gs formats?  Are there potential vulnerabilities affecting gs output?
Comment 6 Thomas Deutschmann gentoo-dev 2022-01-26 13:51:51 UTC
(In reply to Michał Górny from comment #5)
> 1. The installed policy currently references a vulnerability long resolved. 
> This is confusing to users.  If the policy is supposed to still applied
> based on other rationale, the comments need to be updated.
> 
> 2. Why is the policy blocking converting other formats to gs formats?  Are
> there potential vulnerabilities affecting gs output?

This was never applied to address any specific vulnerability. This was a general hardening to make it harder to abuse IM to exploit vulnerabilities in other programs (in most cases GS).

In short: Any vulnerability in Ghostscript can be easily targeted via IM when known because "-SAFER" option from Ghostscript is known to be broken.

The policy we installed will prevent the usage of these likely problematic formats by default (problematic because these formats allow that you embed additional code which will get happily executed when processed and can usually bypass the sandbox, i.e. -SAFER doesn't protect you).

In most scenarios this is a good default because most users are unaware about the feature set these formats provide. Even if you intentionally convert a PDF to an image, you probably don't want to run the embedded stuff, which you probably don't even know exist.

See https://www.slideshare.net/neexemil/hotpics-2021 for more details.


If you know, understand and accept the risk for *your* user, just drop a policy which will allow these formats in ~/.config/ImageMagick and you are no longer limited. But without that policy in place, *any* system with IM installed will provide an easy vector for full system compromise if for example GS is present...
Comment 7 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-01-26 15:35:39 UTC
Could you please kindly read the two points I've made?  Because you seem to have pasted some boilerplate that doesn't answer either of them.
Comment 8 Thomas Deutschmann gentoo-dev 2022-01-26 17:41:14 UTC
The comment is referencing the kb.cert.org document not because of the specific vulnerability but because of the mentioned details (which are still valid for last GS vuln). Also, it is _the combination_ with kb.cert.org _and_ comments from Gentoo bug 664236.

Please feel free to propose an improved comment if you believe we can do it better.


Regarding your second question: Yes, this can be exploited via read _and_ write. The researchers were pretty clear when they recommended to disable any processing of untrusted data via GS.
Comment 9 Andreas K. Hüttel archtester gentoo-dev 2022-02-28 23:05:37 UTC
Grant me the serenity to accept the things I cannot change, the courage to change the things I can and the wisdom to know the difference.