Re: Imagemagick might be banned from postscipt/pdf conversion soon on your distro too
On 09/02/2018 05:27 PM, Pavel Sanda wrote: > Daniel wrote: >>> in policy.xml so they can continue their work. >>> In longer-term -- if this ban continues -- we might try to ask Qt to do >>> the >>> conversions instead of imagemagick, but that's is definitely not for >>> 2.3.1. >>> Other ideas? >>> Pavel >>> https://www.bleepingcomputer.com/news/security/no-patch-available-yet-for-new-major-vulnerability-in-ghostscript-interpreter/ >> There seems to be a patch for it already. >> >> https://artifex.com/news/ghostscript-security-resolved/ >> >> Hopefully distros will patch and go back to normal. > These are pacthes for the vulns reported on Aug 21, but as the original > report says: > > "These bugs were found manually, I also wrote a fuzzer and I'm working on > minimizing a very large number of testcases that I'm planning to report over > the next few days. I will just file those issues upstream and not post each > individual one here, you can monitor https://bugs.ghostscript.com/ if you > want to. I expect there to be several dozen unique bugs." > > So, not sure, we are already in the fixed state for what is coming. New bump > of ghostscript was announced to late Sept ASFAIK. I think removing the dependency on ImageMagick would be worth doing anyway, if it could be done reasonably. For 'exotic' conversions, maybe we would still need it, but surely Qt can handle most of what we need. Riki
Re: Imagemagick might be banned from postscipt/pdf conversion soon on your distro too
Daniel wrote: >> in policy.xml so they can continue their work. >> In longer-term -- if this ban continues -- we might try to ask Qt to do >> the >> conversions instead of imagemagick, but that's is definitely not for >> 2.3.1. >> Other ideas? >> Pavel >> https://www.bleepingcomputer.com/news/security/no-patch-available-yet-for-new-major-vulnerability-in-ghostscript-interpreter/ > > There seems to be a patch for it already. > > https://artifex.com/news/ghostscript-security-resolved/ > > Hopefully distros will patch and go back to normal. These are pacthes for the vulns reported on Aug 21, but as the original report says: "These bugs were found manually, I also wrote a fuzzer and I'm working on minimizing a very large number of testcases that I'm planning to report over the next few days. I will just file those issues upstream and not post each individual one here, you can monitor https://bugs.ghostscript.com/ if you want to. I expect there to be several dozen unique bugs." So, not sure, we are already in the fixed state for what is coming. New bump of ghostscript was announced to late Sept ASFAIK. Pavel
Re: Imagemagick might be banned from postscipt/pdf conversion soon on your distro too (was: 2.3.1 Binaries)
Am Sonntag, den 02.09.2018, 12:59 +0200 schrieb Pavel Sanda: > After the recent discovery of ghoscript vulnerabilities distributions > seem to > actually follow suggestion of the security researcher who announced > them > and broadly ban any conversions from ps/eps/pdf/xps in imagemagick no > matter > the consequences. I don't need to stress on this list what it means > for > LyX -- just from todays update of my distro I'm not capable to view > most > of my documents by default... > > Unfortuntaly there is very little we can directly for 2.3.1. > We should at least signalize in announcement for distro maintainers > that this *is* > issue and perhaps add some hint how to allow users to locally enable > things > in policy.xml so they can continue their work. > > In longer-term -- if this ban continues -- we might try to ask Qt to > do the > conversions instead of imagemagick, but that's is definitely not for > 2.3.1. The vulnerabilities have been resolved, so it seem to be a medium-term problem: https://artifex.com/news/ghostscript-security-resolved/ Jürgen > > Other ideas? > > Pavel > > https://www.bleepingcomputer.com/news/security/no-patch-available-yet-for-new-major-vulnerability-in-ghostscript-interpreter/ > signature.asc Description: This is a digitally signed message part
Re: Imagemagick might be banned from postscipt/pdf conversion soon on your distro too
On 02/09/2018 12:59, Pavel Sanda wrote: Richard Kimberly Heck wrote: Are available for testing at http://ftp.lyx.org/pub/lyx/devel/lyx-2.3/. I suppose we should wait to prepare binaries until we have some feedback. Before we announce we might consider to issue new warning as part of release. Or even as a separate entry. After the recent discovery of ghoscript vulnerabilities distributions seem to actually follow suggestion of the security researcher who announced them and broadly ban any conversions from ps/eps/pdf/xps in imagemagick no matter the consequences. I don't need to stress on this list what it means for LyX -- just from todays update of my distro I'm not capable to view most of my documents by default... Unfortuntaly there is very little we can directly for 2.3.1. We should at least signalize in announcement for distro maintainers that this *is* issue and perhaps add some hint how to allow users to locally enable things in policy.xml so they can continue their work. In longer-term -- if this ban continues -- we might try to ask Qt to do the conversions instead of imagemagick, but that's is definitely not for 2.3.1. Other ideas? Pavel https://www.bleepingcomputer.com/news/security/no-patch-available-yet-for-new-major-vulnerability-in-ghostscript-interpreter/ There seems to be a patch for it already. https://artifex.com/news/ghostscript-security-resolved/ Hopefully distros will patch and go back to normal. Daniel
Re: Imagemagick might be banned from postscipt/pdf conversion soon on your distro too (was: 2.3.1 Binaries)
On 09/02/2018 10:50 AM, Scott Kostyshak wrote: > On Sun, Sep 02, 2018 at 12:59:22PM +0200, Pavel Sanda wrote: > >> In longer-term -- if this ban continues -- we might try to ask Qt to do the >> conversions instead of imagemagick, but that's is definitely not for 2.3.1. > That might be a good backup to get working well even if it weren't for > this issue. We should do a lot of testing. I'm certain I do not know enough about this part of the code to do this, but anything we can have Qt do for us here seems like the right thing to do. Then again, Ghostscript seems to be embedded in everything. Maybe Qt uses it. Riki
Re: Imagemagick might be banned from postscipt/pdf conversion soon on your distro too (was: 2.3.1 Binaries)
On Sun, Sep 02, 2018 at 12:59:22PM +0200, Pavel Sanda wrote: > Unfortuntaly there is very little we can directly for 2.3.1. > We should at least signalize in announcement for distro maintainers that this > *is* > issue and perhaps add some hint how to allow users to locally enable things > in policy.xml so they can continue their work. +1 > In longer-term -- if this ban continues -- we might try to ask Qt to do the > conversions instead of imagemagick, but that's is definitely not for 2.3.1. That might be a good backup to get working well even if it weren't for this issue. We should do a lot of testing. Scott signature.asc Description: PGP signature
Imagemagick might be banned from postscipt/pdf conversion soon on your distro too (was: 2.3.1 Binaries)
Richard Kimberly Heck wrote: > Are available for testing at http://ftp.lyx.org/pub/lyx/devel/lyx-2.3/. > I suppose we should wait to prepare binaries until we have some feedback. Before we announce we might consider to issue new warning as part of release. Or even as a separate entry. After the recent discovery of ghoscript vulnerabilities distributions seem to actually follow suggestion of the security researcher who announced them and broadly ban any conversions from ps/eps/pdf/xps in imagemagick no matter the consequences. I don't need to stress on this list what it means for LyX -- just from todays update of my distro I'm not capable to view most of my documents by default... Unfortuntaly there is very little we can directly for 2.3.1. We should at least signalize in announcement for distro maintainers that this *is* issue and perhaps add some hint how to allow users to locally enable things in policy.xml so they can continue their work. In longer-term -- if this ban continues -- we might try to ask Qt to do the conversions instead of imagemagick, but that's is definitely not for 2.3.1. Other ideas? Pavel https://www.bleepingcomputer.com/news/security/no-patch-available-yet-for-new-major-vulnerability-in-ghostscript-interpreter/
Re: Windows Installer for Testing
Am Samstag, den 01.09.2018, 15:36 -0400 schrieb Richard Kimberly Heck: > > Here's a simple patch which would need a bit of additional work, > > but can > > be a kind of proof of concept (and be tested). Comments? The one which you accidentally committed looks promising. Jürgen > Updated patch. > > Riki > signature.asc Description: This is a digitally signed message part
