Re: [gentoo-user] ...I not allowed to make pdfs from images??????
Am Sonntag, 9. Dezember 2018, 18:03:35 CET schrieb Arve Barsnes: [...] > More important than that, it seems the vulnerability is in > ghostscript, and the vulnerable versions are not any longer even in > portage, so shouldn't the change have been reverted by now? https://bugs.gentoo.org/664236#c10 -- Marc Joliet -- "People who think they know everything really annoy those of us who know we don't" - Bjarne Stroustrup signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] ...I not allowed to make pdfs from images??????
Am Sonntag, 9. Dezember 2018, 16:46:39 CET schrieb Philip Webb: > 181209 Marc Joliet wrote: > > Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb: > >> What exactly are the "security reasons" ? > >> Do they apply to a single-user system ? -- if not, > >> why is the restrictive version of the policy file installed by default > >> rather than a warning at the end of the emerge output ? > > > > Good question. Checking the git log, the change was mode over two > > commits: > > https://gitweb.gentoo.org/repo/gentoo.git/commit/? > > id=02765dfc333e578af9e3fd525fc0067dc47d6528 > > https://gitweb.gentoo.org/repo/gentoo.git/commit/? > > id=df7afbda6b12a68578833225e694cee011b20342 > > The commit messages point to https://www.kb.cert.org/vuls/id/332928/ > > and https://bugs.gentoo.org/664236, > > which basically explain in more detail what Mick summarized yesterday. > > It looks to me like an over-reaction to a fairly unlikely exploit. > You are protected if you don't download images from untrusted sites > or if you don't run Ghostscript as root (who would ? ). A remote code execution vulnerability is problematic even when "merely" executed as your own user. I don't understand why you would think that it only matters when run as root. -- Marc Joliet -- "People who think they know everything really annoy those of us who know we don't" - Bjarne Stroustrup signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] ...I not allowed to make pdfs from images??????
On Sun, 9 Dec 2018 at 16:46, Philip Webb wrote: > > 181209 Marc Joliet wrote: > > Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb: > >> What exactly are the "security reasons" ? > >> Do they apply to a single-user system ? -- if not, > >> why is the restrictive version of the policy file installed by default > >> rather than a warning at the end of the emerge output ? > > Good question. Checking the git log, the change was mode over two commits: > > https://gitweb.gentoo.org/repo/gentoo.git/commit/? > > id=02765dfc333e578af9e3fd525fc0067dc47d6528 > > https://gitweb.gentoo.org/repo/gentoo.git/commit/? > > id=df7afbda6b12a68578833225e694cee011b20342 > > The commit messages point to https://www.kb.cert.org/vuls/id/332928/ > > and https://bugs.gentoo.org/664236, > > which basically explain in more detail what Mick summarized yesterday. > > It looks to me like an over-reaction to a fairly unlikely exploit. > You are protected if you don't download images from untrusted sites > or if you don't run Ghostscript as root (who would ? ). > > It's true that you can use 'img2pdf' instead, which is perhaps the solution. More important than that, it seems the vulnerability is in ghostscript, and the vulnerable versions are not any longer even in portage, so shouldn't the change have been reverted by now? Arve
Re: [gentoo-user] ...I not allowed to make pdfs from images??????
181209 Marc Joliet wrote: > Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb: >> What exactly are the "security reasons" ? >> Do they apply to a single-user system ? -- if not, >> why is the restrictive version of the policy file installed by default >> rather than a warning at the end of the emerge output ? > Good question. Checking the git log, the change was mode over two commits: > https://gitweb.gentoo.org/repo/gentoo.git/commit/? > id=02765dfc333e578af9e3fd525fc0067dc47d6528 > https://gitweb.gentoo.org/repo/gentoo.git/commit/? > id=df7afbda6b12a68578833225e694cee011b20342 > The commit messages point to https://www.kb.cert.org/vuls/id/332928/ > and https://bugs.gentoo.org/664236, > which basically explain in more detail what Mick summarized yesterday. It looks to me like an over-reaction to a fairly unlikely exploit. You are protected if you don't download images from untrusted sites or if you don't run Ghostscript as root (who would ? ). It's true that you can use 'img2pdf' instead, which is perhaps the solution. -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
Re: [gentoo-user] ...I not allowed to make pdfs from images??????
Am Sonntag, 9. Dezember 2018, 11:35:16 CET schrieb Philip Webb: > 181208 Marc Joliet wrote: > > This is mentioned in the emerge output when installing imagemagick. > > > > From the 7.0.8.14 ebuild : > > elog "For security reasons, a policy.xml file was installed in > > /etc/ImageMagick-7" > > elog "which will prevent the usage of the following coders by default:" > > elog "" > > elog " - PS" > > elog " - PS2" > > elog " - PS3" > > elog " - EPS" > > elog " - PDF" > > elog " - XPS" > > What exactly are the "security reasons" ? > Do they apply to a single-user system ? -- if not, > why is the restrictive version of the policy file installed by default > rather than a warning at the end of the emerge output ? Good question. Checking the git log, the change was mode over two commits: https://gitweb.gentoo.org/repo/gentoo.git/commit/? id=02765dfc333e578af9e3fd525fc0067dc47d6528 https://gitweb.gentoo.org/repo/gentoo.git/commit/? id=df7afbda6b12a68578833225e694cee011b20342 The commit messages point to https://www.kb.cert.org/vuls/id/332928/ and https://bugs.gentoo.org/664236, which basically explain in more detail what Mick already summarized yesterday. -- Marc Joliet -- "People who think they know everything really annoy those of us who know we don't" - Bjarne Stroustrup signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] ...I not allowed to make pdfs from images??????
181208 Marc Joliet wrote: > This is mentioned in the emerge output when installing imagemagick. > From the 7.0.8.14 ebuild : > elog "For security reasons, a policy.xml file was installed in > /etc/ImageMagick-7" > elog "which will prevent the usage of the following coders by default:" > elog "" > elog " - PS" > elog " - PS2" > elog " - PS3" > elog " - EPS" > elog " - PDF" > elog " - XPS" What exactly are the "security reasons" ? Do they apply to a single-user system ? -- if not, why is the restrictive version of the policy file installed by default rather than a warning at the end of the emerge output ? -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
Re: [gentoo-user] ...I not allowed to make pdfs from images??????
Am Samstag, 8. Dezember 2018, 14:36:04 CET schrieb Franz Fellner: > Check your /etc/ImageMagick-7/policy.xml > But be aware of the riscs, see the comment in the very same policy.xml file > > Am Sa., 8. Dez. 2018 um 15:22 Uhr schrieb : > > Hi, > > > > from some images I want to create a pdf. > > I found this commandline to do so (imagemagick): > > convert 1.png 2.ong 3.png result.pdf > > > > If I do so I got this message: > > convert: attempt to perform an operation not allowed by the security > > policy `PDF' @ error/constitute.c/IsCoderAuthorized/408. > > > > What the heck... > > > > How can I allow myself to work on my compyter ? ;) > > > > Cheers! > > Meino FTR, this is mentioned in the emerge output when installing imagemagick. From the 7.0.8.14 ebuild: elog "For security reasons, a policy.xml file was installed in /etc/ ImageMagick-7" elog "which will prevent the usage of the following coders by default:" elog "" elog " - PS" elog " - PS2" elog " - PS3" elog " - EPS" elog " - PDF" elog " - XPS" Did it not show for you? -- Marc Joliet -- "People who think they know everything really annoy those of us who know we don't" - Bjarne Stroustrup signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] ...I not allowed to make pdfs from images??????
On Sat, Dec 8, 2018, at 14:23, tu...@posteo.de wrote: > from some images I want to create a pdf. I successfully use img2pdf: https://gitlab.mister-muffin.de/josch/img2pdf It's also in the main Gentoo repository. -- https://fturco.gitlab.io/
Re: [gentoo-user] ...I not allowed to make pdfs from images??????
On Saturday, 8 December 2018 13:36:04 GMT Franz Fellner wrote: > Check your /etc/ImageMagick-7/policy.xml > But be aware of the riscs, see the comment in the very same policy.xml file As Franz mentioned there are ghostscript vulnerabilities you should be aware of, which are mitigated by the /etc/ImageMagick-7/policy.xml file. Temporarily you could change line 60 in this file from "none" to "read|write": Don't forget to revert it to "none" when you're done. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] ...I not allowed to make pdfs from images??????
Check your /etc/ImageMagick-7/policy.xml But be aware of the riscs, see the comment in the very same policy.xml file Am Sa., 8. Dez. 2018 um 15:22 Uhr schrieb : > Hi, > > from some images I want to create a pdf. > I found this commandline to do so (imagemagick): > convert 1.png 2.ong 3.png result.pdf > > If I do so I got this message: > convert: attempt to perform an operation not allowed by the security > policy `PDF' @ error/constitute.c/IsCoderAuthorized/408. > > What the heck... > > How can I allow myself to work on my compyter ? ;) > > Cheers! > Meino > > > > >
[gentoo-user] ...I not allowed to make pdfs from images??????
Hi, from some images I want to create a pdf. I found this commandline to do so (imagemagick): convert 1.png 2.ong 3.png result.pdf If I do so I got this message: convert: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/408. What the heck... How can I allow myself to work on my compyter ? ;) Cheers! Meino