Re: ImageMagick security settings in openSUSE
On Sat, Oct 31, 2020 at 12:11:58AM +0100, Tommaso Cucinotta wrote: > Now, the question I wanted to ask is: when reconfiguring LyX looking for > existence of the various converters, would it make sense for LyX to have a > means to try the converters one by one (at least a known subset of them), to > be sure they work and they've not been forbidden, so to exclude those ones > that don't actually work ? > Or, is there some other way to handle the problem in a user-friendly way ? The security bugs which led to the conversion ban are fixed for a long time. So it would make sense to file a bug in ubuntu that the permanent ban makes lyx unusable for standard vector graphics formats. Moreover since /etc is writeable only for root, normal users has no chance to override this restriction with their own policy files. They might listen to us or not, but it's IMHO worth of trying. >From our part the most user informative way would be to check the policy via "convert -list policy" and if not trigger message that those conversions were banned. The combative part in me would even add note which would suggest users to file bug to their distro maintainers so they get some additional feedback. Maybe if they close the same bug 100x times they try to do something about it ;) Pavel -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: ImageMagick security settings in openSUSE
Hi, I'm not sure if the problem is similar, I've just tried LyX 2.3.4 on Ubuntu 20.04.1, and noticed that after inserting a PDF file/graphics, LyX has problems in converting the image into PNG, as needed to show the preview on-screen. One way I could work around it, was to comment out the PDF rule/filter in the security policy coming with ImageMagick 6: (not understanding yet the full implications of this, though) tommaso@laptom$ grep PDF /etc/ImageMagick-6/policy.xml Now, the question I wanted to ask is: when reconfiguring LyX looking for existence of the various converters, would it make sense for LyX to have a means to try the converters one by one (at least a known subset of them), to be sure they work and they've not been forbidden, so to exclude those ones that don't actually work ? Or, is there some other way to handle the problem in a user-friendly way ? FYI, the user perception of the issue shows up like this: tommaso@laptom$ lyx placement.lyx convert-im6.q16: attempt to perform an operation not allowed by the security policy `PS' @ error/constitute.c/IsCoderAuthorized/408. convert-im6.q16: no images defined `/tmp/lyx_tmpdir.pPGlFCzHmrqd/gconvertDiWwGs.png' @ error/convert.c/ConvertImageCommand/3258. and, in LyX, the generic error on the image "spot" saying "cannot convert". Thanks, T. On 03/07/19 15:43, Cor Blom wrote: Dear LyX devs, Because of the following bug https://bugzilla.opensuse.org/show_bug.cgi?id=1139928 I have become aware of the strict security settings in openSUSE which limits capabilities of ImageMagick. There is an alternative setting that the user can activate, but most users will not know this. I am just writing this, so you are aware of this. I don't know a solution. Regards, Cor -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: ImageMagick security settings in openSUSE
Op 10-07-19 om 16:51 schreef Pavel Sanda: I'm not sure for how big percentage of userbase I speak of but to butcher postscript processing renders lyx quite unusable imho, so question is to whether suse wants lyx in its repositories at all if this does not work... So if it was on me would rather ask for removing lyx from your official repos and let only advanced users to fetch from alternative sources and tweak settings -- because delivering half non functional lyx just give us bad reputation. But again, that's due to my way of using lyx, don't take this as official lyx team stand point:) Personally I use LyX with openSUSE's hardened ImageMagick without any problems. I would not have noticed the issue with ImageMagick had it not been reported as a bug. I am not really afraid for the reputation of LyX. I think users who are confronted by this will blame (open)SUSE (or understand it). In the meantime I try to spread the information in different, relevant places, so that it can hopefully be found. Thanks for your input. Cor
Re: ImageMagick security settings in openSUSE
On Wed, Jul 10, 2019 at 08:58:58PM +0200, Cor Blom wrote: > Op 10-07-19 om 16:51 schreef Pavel Sanda: >> Can't you simply demand this 'alternative configuration' as dependency >> when lyx is installed? > > I can try this. The reason for this security policy has been explained to > me, so I have little hope. But who knows... Let's see. I can understand that you don't want any risk on a production server, but you don't want lyx there neither. > I have updated the wiki with the relevant information: > > https://wiki.lyx.org/LyX/LyXOnOpenSUSE > > It need the confirmation of a link. Confirmed. For now, Pavel
Re: ImageMagick security settings in openSUSE
Op 10-07-19 om 16:51 schreef Pavel Sanda: Can't you simply demand this 'alternative configuration' as dependency when lyx is installed? I can try this. The reason for this security policy has been explained to me, so I have little hope. But who knows... I have updated the wiki with the relevant information: https://wiki.lyx.org/LyX/LyXOnOpenSUSE It need the confirmation of a link. Thanks, Cor
Re: ImageMagick security settings in openSUSE
On Wed, Jul 10, 2019 at 03:47:26PM +0200, Cor Blom wrote: > The following message describes the situation for openSUSE Leap 15.0, but > it is also true for 15.1 and Tumbleweed: > > https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00010.html > > In short: the user can install an alternative configuration for IM that > enables postscript related stuff (and other things), following upstream IM > setting. The default SUSE setting are very strict. Can't you simply demand this 'alternative configuration' as dependency when lyx is installed? I'm not sure for how big percentage of userbase I speak of but to butcher postscript processing renders lyx quite unusable imho, so question is to whether suse wants lyx in its repositories at all if this does not work... So if it was on me would rather ask for removing lyx from your official repos and let only advanced users to fetch from alternative sources and tweak settings -- because delivering half non functional lyx just give us bad reputation. But again, that's due to my way of using lyx, don't take this as official lyx team stand point :) > In general postscript does not work out of the box on openSUSE for security > reasons nowadays, but the user can enable this by installing additional > packages. > > I hope this give enough information. There is not much more that can be > done. Maybe this information can be added to the LyX wiki also? You can add there whatever feels right, no one understands suse+lyx situation better than you do. Pavel
Re: ImageMagick security settings in openSUSE
Op 10-07-19 om 15:30 schreef Pavel Sanda: On Wed, Jul 03, 2019 at 03:43:06PM +0200, Cor Blom wrote: Dear LyX devs, Because of the following bug https://bugzilla.opensuse.org/show_bug.cgi?id=1139928 I have become aware of the strict security settings in openSUSE which limits capabilities of ImageMagick. There is an alternative setting that the user can activate, but most users will not know this. Is this security measure sideeffect of ghostscript problems from last september? As far as I understood the total ban of conversions was just temporary measure which should be lifted once the individual CVEs were resolved. I believe both upstream and other distros already lifted it. I am just writing this, so you are aware of this. I don't know a solution. In decreasing order: - Can't you just file suse-related bug to remove the ban? - Can't you pull/set different IM config iff lyx is installed? - Can't you trigger some message if lyx is installed so user is at least know how to fix it. If nothing of this work, we could add some note to our release notes that users of open suse need to fix IM settings. Pavel The following message describes the situation for openSUSE Leap 15.0, but it is also true for 15.1 and Tumbleweed: https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00010.html In short: the user can install an alternative configuration for IM that enables postscript related stuff (and other things), following upstream IM setting. The default SUSE setting are very strict. I have added a README.SUSE to the package and refer to that in the description that explains the situation and tells the user the options he has. It has been discussed on the openSUSE Factory mailinglist, but the suggestion how to inform users is what I have done. See: https://build.opensuse.org/request/show/713564 I came accross this because a bug was filed that eps preview was not working. This is not really my area of expertise. As far as I can see, the situation in (open)SUSE will remain as it is. This means the user either installs an alternative configuration for ImageMagick, or edits security pollicy settings for IM manually. In general postscript does not work out of the box on openSUSE for security reasons nowadays, but the user can enable this by installing additional packages. I hope this give enough information. There is not much more that can be done. Maybe this information can be added to the LyX wiki also? Kind regards, Cor
Re: ImageMagick security settings in openSUSE
On Wed, Jul 03, 2019 at 03:43:06PM +0200, Cor Blom wrote: > Dear LyX devs, > > Because of the following bug > > https://bugzilla.opensuse.org/show_bug.cgi?id=1139928 > > I have become aware of the strict security settings in openSUSE which > limits capabilities of ImageMagick. There is an alternative setting that > the user can activate, but most users will not know this. Is this security measure sideeffect of ghostscript problems from last september? As far as I understood the total ban of conversions was just temporary measure which should be lifted once the individual CVEs were resolved. I believe both upstream and other distros already lifted it. > I am just writing this, so you are aware of this. I don't know a solution. In decreasing order: - Can't you just file suse-related bug to remove the ban? - Can't you pull/set different IM config iff lyx is installed? - Can't you trigger some message if lyx is installed so user is at least know how to fix it. If nothing of this work, we could add some note to our release notes that users of open suse need to fix IM settings. Pavel
ImageMagick security settings in openSUSE
Dear LyX devs, Because of the following bug https://bugzilla.opensuse.org/show_bug.cgi?id=1139928 I have become aware of the strict security settings in openSUSE which limits capabilities of ImageMagick. There is an alternative setting that the user can activate, but most users will not know this. I am just writing this, so you are aware of this. I don't know a solution. Regards, Cor