Re: Imagemagick might be banned from postscipt/pdf conversion soon on your distro too (was: 2.3.1 Binaries)
Am Sonntag, den 02.09.2018, 12:59 +0200 schrieb Pavel Sanda: > After the recent discovery of ghoscript vulnerabilities distributions > seem to > actually follow suggestion of the security researcher who announced > them > and broadly ban any conversions from ps/eps/pdf/xps in imagemagick no > matter > the consequences. I don't need to stress on this list what it means > for > LyX -- just from todays update of my distro I'm not capable to view > most > of my documents by default... > > Unfortuntaly there is very little we can directly for 2.3.1. > We should at least signalize in announcement for distro maintainers > that this *is* > issue and perhaps add some hint how to allow users to locally enable > things > in policy.xml so they can continue their work. > > In longer-term -- if this ban continues -- we might try to ask Qt to > do the > conversions instead of imagemagick, but that's is definitely not for > 2.3.1. The vulnerabilities have been resolved, so it seem to be a medium-term problem: https://artifex.com/news/ghostscript-security-resolved/ Jürgen > > Other ideas? > > Pavel > > https://www.bleepingcomputer.com/news/security/no-patch-available-yet-for-new-major-vulnerability-in-ghostscript-interpreter/ > signature.asc Description: This is a digitally signed message part
Re: Imagemagick might be banned from postscipt/pdf conversion soon on your distro too (was: 2.3.1 Binaries)
On 09/02/2018 10:50 AM, Scott Kostyshak wrote: > On Sun, Sep 02, 2018 at 12:59:22PM +0200, Pavel Sanda wrote: > >> In longer-term -- if this ban continues -- we might try to ask Qt to do the >> conversions instead of imagemagick, but that's is definitely not for 2.3.1. > That might be a good backup to get working well even if it weren't for > this issue. We should do a lot of testing. I'm certain I do not know enough about this part of the code to do this, but anything we can have Qt do for us here seems like the right thing to do. Then again, Ghostscript seems to be embedded in everything. Maybe Qt uses it. Riki
Re: Imagemagick might be banned from postscipt/pdf conversion soon on your distro too (was: 2.3.1 Binaries)
On Sun, Sep 02, 2018 at 12:59:22PM +0200, Pavel Sanda wrote: > Unfortuntaly there is very little we can directly for 2.3.1. > We should at least signalize in announcement for distro maintainers that this > *is* > issue and perhaps add some hint how to allow users to locally enable things > in policy.xml so they can continue their work. +1 > In longer-term -- if this ban continues -- we might try to ask Qt to do the > conversions instead of imagemagick, but that's is definitely not for 2.3.1. That might be a good backup to get working well even if it weren't for this issue. We should do a lot of testing. Scott signature.asc Description: PGP signature
Imagemagick might be banned from postscipt/pdf conversion soon on your distro too (was: 2.3.1 Binaries)
Richard Kimberly Heck wrote: > Are available for testing at http://ftp.lyx.org/pub/lyx/devel/lyx-2.3/. > I suppose we should wait to prepare binaries until we have some feedback. Before we announce we might consider to issue new warning as part of release. Or even as a separate entry. After the recent discovery of ghoscript vulnerabilities distributions seem to actually follow suggestion of the security researcher who announced them and broadly ban any conversions from ps/eps/pdf/xps in imagemagick no matter the consequences. I don't need to stress on this list what it means for LyX -- just from todays update of my distro I'm not capable to view most of my documents by default... Unfortuntaly there is very little we can directly for 2.3.1. We should at least signalize in announcement for distro maintainers that this *is* issue and perhaps add some hint how to allow users to locally enable things in policy.xml so they can continue their work. In longer-term -- if this ban continues -- we might try to ask Qt to do the conversions instead of imagemagick, but that's is definitely not for 2.3.1. Other ideas? Pavel https://www.bleepingcomputer.com/news/security/no-patch-available-yet-for-new-major-vulnerability-in-ghostscript-interpreter/