Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 716674 - media-gfx/imagemagick: hardening policy is not needed for a long time
Summary: media-gfx/imagemagick: hardening policy is not needed for a long time
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Graphics Project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-08 09:47 UTC by Pacho Ramos
Modified: 2020-10-22 13:20 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Pacho Ramos gentoo-dev 2020-04-08 09:47:52 UTC
Long time ago a policy preventing conversion from pdf and ps was added to mitigate bug 664236 , but that bug was fixed in ghostscript and the versions in the tree are fixed too. I also see other main distributions like Fedora are not applying that policy anymore.

Can we then remove the policy then? 

Thanks
Comment 1 Larry the Git Cow gentoo-dev 2020-04-22 22:43:17 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=de5c671284e02c5ce6c55e911925fbed54bb3bf4

commit de5c671284e02c5ce6c55e911925fbed54bb3bf4
Author:     Pacho Ramos <pacho@gentoo.org>
AuthorDate: 2020-04-22 22:37:53 +0000
Commit:     Pacho Ramos <pacho@gentoo.org>
CommitDate: 2020-04-22 22:43:10 +0000

    media-gfx/imagemagick: Bump to 7.0.10.3
    
    Also hardening is not needed for a long time
    
    Closes: https://bugs.gentoo.org/716674
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Pacho Ramos <pacho@gentoo.org>

 media-gfx/imagemagick/Manifest                    |   1 +
 media-gfx/imagemagick/imagemagick-7.0.10.7.ebuild | 225 ++++++++++++++++++++++
 2 files changed, 226 insertions(+)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a16dd0232d57a8b29eabb27a2afb0ae8c20a02fe

commit a16dd0232d57a8b29eabb27a2afb0ae8c20a02fe
Author:     Pacho Ramos <pacho@gentoo.org>
AuthorDate: 2020-04-22 22:33:23 +0000
Commit:     Pacho Ramos <pacho@gentoo.org>
CommitDate: 2020-04-22 22:43:08 +0000

    media-gfx/imagemagick: Hardening is not needed for a long time
    
    Bug: https://bugs.gentoo.org/716674
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Pacho Ramos <pacho@gentoo.org>

 media-gfx/imagemagick/imagemagick-9999.ebuild | 42 ---------------------------
 1 file changed, 42 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2020-04-24 09:51:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c03d5059039c5b0f43c019edfb541ae396162e6f

commit c03d5059039c5b0f43c019edfb541ae396162e6f
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-04-24 09:48:20 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-04-24 09:49:50 +0000

    media-gfx/imagemagick: restore hardening
    
    Bug: https://bugs.gentoo.org/716674
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 ....10.7.ebuild => imagemagick-7.0.10.7-r1.ebuild} | 42 ++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-04-24 09:58:17 UTC
I had to revert this. Please talk to security project next time you are going to revert things like that:

While the original vulnerability in ghostscript was fixed in the meanwhile, several similar vulnerabilities in ghostscript were found. In short: ghostscript stays a security risk. The feature will never be safe.

Any user of imagemagick who does not care can easily install an own policy file for imagemagick, which will overwrite default policy. But for all the other people, we will keep those features disabled by default.

Keep in mind: Imagine you are operating a nextcloud instance. You have imagemagick installed for some other reason on the same server. Without that policy, any user who can upload PDFs to your instance could trigger a remote code execution. So you really should opt-in for that.
Comment 4 Pacho Ramos gentoo-dev 2020-04-25 08:15:01 UTC
I would then at least explain this in the original bug 664236 , because it seems most other distributions are not being so strict . That is the reason I also went ahead as it seems we are being stricter than others (and unconditionally, not even allowing to switch this via a USE flag)