Bug#987504: imagemagick: attempt to perform an operation not allowed by the security policy `EPS'
Am Wed, May 19, 2021 at 08:49:01PM +0200 schrieb Paul Gevers: > Hi, > > First off, thanks Adrian for raising the concern. In general, at this > stage we don't like packages breaking other packages. This should have been fixed in unstable for a long time, I pinged the maintainer multiple times even. imagemagick badly needs co-maintainers, the current state is not sustainable at all. imagemagick only saw one maintainer upload in 2020... > If I understand correctly, not having this patch in bullseye can be > considered a security regression. Yes, we should not revert this and rather fix fallout in the handful of affected packages. This patch e.g. prevented the exploitability of https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html and will prevent other issues in the future. Cheers, Moritz
Bug#987504: imagemagick: attempt to perform an operation not allowed by the security policy `EPS'
Hi, First off, thanks Adrian for raising the concern. In general, at this stage we don't like packages breaking other packages. On 28-04-2021 13:19, Adrian Bunk wrote: >> No time for a more lenghty reply to this right now, but our point was >> exactly to bring the same patch (already applied in the last DSA) as >> well in bullseye's version as this was missing and discussed back then >> and recently with the maintainer as well. >> >> If this is not the case yet, are bugs filled against those packages >> you found to be failing to build now due to this change in stable and >> unstable? > > my question was exactly how to move forward here. If I understand correctly, not having this patch in bullseye can be considered a security regression. > If everyone (including the release team) agrees that the imagemagick > change should stay and RC bugs be filed, I can do the bug filing. I don't speak on behalf of the stable release managers, but I estimate that they'll take fixes in stable for this issue too. So, if these bugs aren't filed already (I would expect they may already be found and filed because of rebuild campaigns or reproducible build failures), let's have them filed (and fixed obviously). If they could be marked as blocking this bug that would be great, such that we can judge what the progress is to see when we want to let imagemagick into bullseye. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#987504: imagemagick: attempt to perform an operation not allowed by the security policy `EPS'
On Wed, Apr 28, 2021 at 06:43:02AM +0200, Salvatore Bonaccorso wrote: > Hi Adrian, Hi Salvatore, > On Sat, Apr 24, 2021 at 11:20:43PM +0300, Adrian Bunk wrote: >... > > Options are either reverting the imagemagick change or fixing > > the packages that got broken in bullseye and buster. > > > > Security and release teams are Cc'ed. > > No time for a more lenghty reply to this right now, but our point was > exactly to bring the same patch (already applied in the last DSA) as > well in bullseye's version as this was missing and discussed back then > and recently with the maintainer as well. > > If this is not the case yet, are bugs filled against those packages > you found to be failing to build now due to this change in stable and > unstable? my question was exactly how to move forward here. If everyone (including the release team) agrees that the imagemagick change should stay and RC bugs be filed, I can do the bug filing. > Regards, > Salvatore cu Adrian
Bug#987504: imagemagick: attempt to perform an operation not allowed by the security policy `EPS'
Hi Adrian, On Sat, Apr 24, 2021 at 11:20:43PM +0300, Adrian Bunk wrote: > Package: imagemagick > Version: 8:6.9.11.60+dfsg-1.2 > Severity: serious > Tags: ftbfs > Control: found -1 8:6.9.10.23+dfsg-2.1+deb10u1 > Control: affects -1 src:ftgl src:foxtrotgps src:gri src:kannel src:mlpost > src:muttprint src:ns3 src:sctk src:texworks-manual src:therion src:vlfeat > src:x4d-icons src:xnee > > https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/ftgl.html > https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/foxtrotgps.html > https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/gri.html > https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/kannel.html > https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/mlpost.html > https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/muttprint.html > https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/ns3.html > https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/sctk.html > https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/texworks-manual.html > https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/therion.html > https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/vlfeat.html > https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/x4d-icons.html > https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/xnee.html > > ... > convert-im6.q16: attempt to perform an operation not allowed by the security > policy `EPS' @ error/constitute.c/IsCoderAuthorized/408. > convert-im6.q16: attempt to perform an operation not allowed by the security > policy `EPS' @ error/constitute.c/IsCoderAuthorized/408. > make[3]: *** [Makefile:931: screenshots/map-download.eps] Error 1 > > > A security change that went just went into imagemagick in unstable, > but already went into imagemagick in buster last autumn, > makes around a dozen packages FTBFS in unstable resp. buster. > > Background: > https://bugs.launchpad.net/ubuntu/+source/kannel/+bug/1838425 > > Options are either reverting the imagemagick change or fixing > the packages that got broken in bullseye and buster. > > Security and release teams are Cc'ed. No time for a more lenghty reply to this right now, but our point was exactly to bring the same patch (already applied in the last DSA) as well in bullseye's version as this was missing and discussed back then and recently with the maintainer as well. If this is not the case yet, are bugs filled against those packages you found to be failing to build now due to this change in stable and unstable? Regards, Salvatore
Bug#987504: imagemagick: attempt to perform an operation not allowed by the security policy `EPS'
On Mon, Apr 26, 2021 at 12:41:42PM +0800, Paul Wise wrote: >... > I think that switching the ImageMagick policy so that it allows writes > to PS/PS2/PS3/EPS/PDF/XPS/etc but not reads would fix the FTBFS and > possibly also stop security issues in GhostScript from being triggered? >From the Launchpad bug: 14:44 png -> ps should be safe. 14:44 yeah, unfortunately imagemagick doesn't allow disable only reading > bye, > pabs cu Adrian
Bug#987504: imagemagick: attempt to perform an operation not allowed by the security policy `EPS'
On Sat, 24 Apr 2021 23:20:43 +0300 Adrian Bunk wrote: > Options are either reverting the imagemagick change or fixing > the packages that got broken in bullseye and buster. For foxtrotgps, I committed upstream a change that makes writing the EPS images only happen when creating the DVI/PS documentation formats. https://bazaar.launchpad.net/~foxtrotgps-team/foxtrotgps/trunk/revision/330 The foxtrotgps Debian package does not use DVI/PS, so I can just introduce a hack removing the EPS building from the Makefile if needed. I think that switching the ImageMagick policy so that it allows writes to PS/PS2/PS3/EPS/PDF/XPS/etc but not reads would fix the FTBFS and possibly also stop security issues in GhostScript from being triggered? -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#987504: imagemagick: attempt to perform an operation not allowed by the security policy `EPS'
* Adrian Bunk [210425 12:34]: > https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/kannel.html [..] > https://bugs.launchpad.net/ubuntu/+source/kannel/+bug/1838425 Kannel turned off building of PS docs in 1.4.5-7 (and stopped using imagemagick); but obv. not in buster.
Bug#987504: imagemagick: attempt to perform an operation not allowed by the security policy `EPS'
Package: imagemagick Version: 8:6.9.11.60+dfsg-1.2 Severity: serious Tags: ftbfs Control: found -1 8:6.9.10.23+dfsg-2.1+deb10u1 Control: affects -1 src:ftgl src:foxtrotgps src:gri src:kannel src:mlpost src:muttprint src:ns3 src:sctk src:texworks-manual src:therion src:vlfeat src:x4d-icons src:xnee https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/ftgl.html https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/foxtrotgps.html https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/gri.html https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/kannel.html https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/mlpost.html https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/muttprint.html https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/ns3.html https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/sctk.html https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/texworks-manual.html https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/therion.html https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/vlfeat.html https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/x4d-icons.html https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/xnee.html ... convert-im6.q16: attempt to perform an operation not allowed by the security policy `EPS' @ error/constitute.c/IsCoderAuthorized/408. convert-im6.q16: attempt to perform an operation not allowed by the security policy `EPS' @ error/constitute.c/IsCoderAuthorized/408. make[3]: *** [Makefile:931: screenshots/map-download.eps] Error 1 A security change that went just went into imagemagick in unstable, but already went into imagemagick in buster last autumn, makes around a dozen packages FTBFS in unstable resp. buster. Background: https://bugs.launchpad.net/ubuntu/+source/kannel/+bug/1838425 Options are either reverting the imagemagick change or fixing the packages that got broken in bullseye and buster. Security and release teams are Cc'ed.
