Long time ago a policy preventing conversion from pdf and ps was added to mitigate bug 664236 , but that bug was fixed in ghostscript and the versions in the tree are fixed too. I also see other main distributions like Fedora are not applying that policy anymore. Can we then remove the policy then? Thanks
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=de5c671284e02c5ce6c55e911925fbed54bb3bf4 commit de5c671284e02c5ce6c55e911925fbed54bb3bf4 Author: Pacho Ramos <pacho@gentoo.org> AuthorDate: 2020-04-22 22:37:53 +0000 Commit: Pacho Ramos <pacho@gentoo.org> CommitDate: 2020-04-22 22:43:10 +0000 media-gfx/imagemagick: Bump to 7.0.10.3 Also hardening is not needed for a long time Closes: https://bugs.gentoo.org/716674 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Pacho Ramos <pacho@gentoo.org> media-gfx/imagemagick/Manifest | 1 + media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild | 225 ++++++++++++++++++++++ 2 files changed, 226 insertions(+) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a16dd0232d57a8b29eabb27a2afb0ae8c20a02fe commit a16dd0232d57a8b29eabb27a2afb0ae8c20a02fe Author: Pacho Ramos <pacho@gentoo.org> AuthorDate: 2020-04-22 22:33:23 +0000 Commit: Pacho Ramos <pacho@gentoo.org> CommitDate: 2020-04-22 22:43:08 +0000 media-gfx/imagemagick: Hardening is not needed for a long time Bug: https://bugs.gentoo.org/716674 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Pacho Ramos <pacho@gentoo.org> media-gfx/imagemagick/imagemagick-9999.ebuild | 42 --------------------------- 1 file changed, 42 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c03d5059039c5b0f43c019edfb541ae396162e6f commit c03d5059039c5b0f43c019edfb541ae396162e6f Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-04-24 09:48:20 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-04-24 09:49:50 +0000 media-gfx/imagemagick: restore hardening Bug: https://bugs.gentoo.org/716674 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> ....10.7.ebuild => imagemagick-7.0.10.7-r1.ebuild} | 42 ++++++++++++++++++++++ 1 file changed, 42 insertions(+)
I had to revert this. Please talk to security project next time you are going to revert things like that: While the original vulnerability in ghostscript was fixed in the meanwhile, several similar vulnerabilities in ghostscript were found. In short: ghostscript stays a security risk. The feature will never be safe. Any user of imagemagick who does not care can easily install an own policy file for imagemagick, which will overwrite default policy. But for all the other people, we will keep those features disabled by default. Keep in mind: Imagine you are operating a nextcloud instance. You have imagemagick installed for some other reason on the same server. Without that policy, any user who can upload PDFs to your instance could trigger a remote code execution. So you really should opt-in for that.
I would then at least explain this in the original bug 664236 , because it seems most other distributions are not being so strict . That is the reason I also went ahead as it seems we are being stricter than others (and unconditionally, not even allowing to switch this via a USE flag)
There are actually multiple problems with the current solution, and I'd like to see at least some of them addressed: 1. The installed policy currently references a vulnerability long resolved. This is confusing to users. If the policy is supposed to still applied based on other rationale, the comments need to be updated. 2. Why is the policy blocking converting other formats to gs formats? Are there potential vulnerabilities affecting gs output?
(In reply to Michał Górny from comment #5) > 1. The installed policy currently references a vulnerability long resolved. > This is confusing to users. If the policy is supposed to still applied > based on other rationale, the comments need to be updated. > > 2. Why is the policy blocking converting other formats to gs formats? Are > there potential vulnerabilities affecting gs output? This was never applied to address any specific vulnerability. This was a general hardening to make it harder to abuse IM to exploit vulnerabilities in other programs (in most cases GS). In short: Any vulnerability in Ghostscript can be easily targeted via IM when known because "-SAFER" option from Ghostscript is known to be broken. The policy we installed will prevent the usage of these likely problematic formats by default (problematic because these formats allow that you embed additional code which will get happily executed when processed and can usually bypass the sandbox, i.e. -SAFER doesn't protect you). In most scenarios this is a good default because most users are unaware about the feature set these formats provide. Even if you intentionally convert a PDF to an image, you probably don't want to run the embedded stuff, which you probably don't even know exist. See https://www.slideshare.net/neexemil/hotpics-2021 for more details. If you know, understand and accept the risk for *your* user, just drop a policy which will allow these formats in ~/.config/ImageMagick and you are no longer limited. But without that policy in place, *any* system with IM installed will provide an easy vector for full system compromise if for example GS is present...
Could you please kindly read the two points I've made? Because you seem to have pasted some boilerplate that doesn't answer either of them.
The comment is referencing the kb.cert.org document not because of the specific vulnerability but because of the mentioned details (which are still valid for last GS vuln). Also, it is _the combination_ with kb.cert.org _and_ comments from Gentoo bug 664236. Please feel free to propose an improved comment if you believe we can do it better. Regarding your second question: Yes, this can be exploited via read _and_ write. The researchers were pretty clear when they recommended to disable any processing of untrusted data via GS.
Grant me the serenity to accept the things I cannot change, the courage to change the things I can and the wisdom to know the difference.
Still, I think that "ordinary" users should not need to search around in bug reports when an otherwise expected feature does not work. So, at least, I recommend to add a "postinst" rule to the ImageMagick ebuild, which tells you about /etc/ImageMagick-7/policy.xml, and the possibility of overriding it in ~/.config/ImageMagick/policy.xml in a nice, userfriendly way, i.e., with an example that may immediately solve your problem. BTW, note that the folder name in /etc/ is ImageMagick-7, but in ~/.config/ it's supposed to be ImageMagick. Inconsistencies like this one do not make things easier.
I have just hit again in LyX: I was surprised about why in one of my computers I couldn't compile a presentation with errors related with it being unable to convert some images to eps... then I noticed this error in the terminal: magick: attempt to perform an operation not allowed by the security policy `EPS' @ error/constitute.c/IsCoderAuthorized/454. and I reminded that I forgot to undo the policy on that new computer Can we finally stop being the only distribution enforcing this policy that keeps breaking random reverse deps?
I hear you and I'm going to take a look at it because I agree the status quo isn't really sustainable. I'll follow up soon.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1acdac076fe0168b2dc1ea9ed4340ba5ac3cdcb1 commit 1acdac076fe0168b2dc1ea9ed4340ba5ac3cdcb1 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2023-06-09 14:41:16 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2023-06-09 14:41:37 +0000 media-gfx/imagemagick: Drop overreaching hardening Closes: https://bugs.gentoo.org/716674 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> .../imagemagick/imagemagick-6.9.12.89-r1.ebuild | 229 ++++++++++++++++++++ .../imagemagick/imagemagick-7.1.1.11-r1.ebuild | 239 +++++++++++++++++++++ media-gfx/imagemagick/imagemagick-9999.ebuild | 42 ---- 3 files changed, 468 insertions(+), 42 deletions(-)
I was planning on making it conditional for USE=hardened, some other flag, and/or adding details to the wiki first.
(In reply to Sam James from comment #14) > I was planning on making it conditional for USE=hardened, some other flag, > and/or adding details to the wiki first. A USE flag controlling installation of a config protected file would be a little strange.
(In reply to Ulrich Müller from comment #15) > (In reply to Sam James from comment #14) > > I was planning on making it conditional for USE=hardened, some other flag, > > and/or adding details to the wiki first. > > A USE flag controlling installation of a config protected file would be a > little strange. hence "and/or". I was just listing options. Not sure it's that crazy though as it also affects the test suite and other packages. I wanted at least some README and something on the wiki.
Thanks a lot!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=643f04360ac6f258d37d6fb5e0c71868a4e0f1c5 commit 643f04360ac6f258d37d6fb5e0c71868a4e0f1c5 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-09-24 01:50:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-24 01:50:43 +0000 media-gfx/imagemagick: add 7.1.1.18 (w/ USE=hardened) This adds a USE=hardened which sets the new configure arg (added between .15 and .18) called --with-security-policy. It defaults upstream to 'open'. We follow that default for USE=-hardened, but set it to 'limited' for USE=hardened. Bug: https://bugs.gentoo.org/716674 Signed-off-by: Sam James <sam@gentoo.org> media-gfx/imagemagick/Manifest | 1 + media-gfx/imagemagick/imagemagick-7.1.1.18.ebuild | 247 ++++++++++++++++++++++ 2 files changed, 248 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e761b7e2e843cedc7e486e5a6351da6bc6a27572 commit e761b7e2e843cedc7e486e5a6351da6bc6a27572 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-09-24 01:42:10 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-24 01:42:10 +0000 media-gfx/imagemagick: add 6.9.12.96 (w/ USE=hardened) This adds a USE=hardened which sets the new configure arg (added between .92 and .96) called --with-security-policy. It defaults upstream to 'open'. We follow that default for USE=-hardened, but set it to 'limited' for USE=hardened. Bug: https://bugs.gentoo.org/716674 Signed-off-by: Sam James <sam@gentoo.org> media-gfx/imagemagick/Manifest | 1 + media-gfx/imagemagick/imagemagick-6.9.12.96.ebuild | 242 +++++++++++++++++++++ 2 files changed, 243 insertions(+)
Would making a new USE_EXPAND work? I'm thinking something like IMAGEMAGICK_SECURITY with choices of "open", "limited", "secure" and "websafe". The other question is, even though this is a configure switch, as far as I can tell it doesn't affect anything compile-wise; it simply swaps in one of four XML files. Does that affect anything on Gentoo's side?