FTBFS: attempt to perform an operation not allowed by the security policy `PS'
Bug #1838425 reported by
Robie Basak
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kannel (Ubuntu) |
Fix Released
|
Undecided
|
Robie Basak |
Bug Description
kannel FTBFS on Eoan: https:/
/usr/bin/convert doc/alligata/
convert: attempt to perform an operation not allowed by the security policy `PS' @ error/constitut
make[1]: *** [Makefile:217: doc/alligata/
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
make: *** [/usr/share/
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
This is due to imagemagick 8:6.9.10.
To post a comment you must log in.
There was some discussion here on #ubuntu-hardened, pasted below. Conclusion: we should resolve this by disabling PostScript documentation for now.
14:34 <rbasak> mdeslaur: your security upload of imagemagick (8:6.9. 10.23+dfsg- 2.1ubuntu3) is causing kannel to FTBFS when it builds Arch: all (so amd64) because the build process uses convert to generate PostScript and the security policy now blocks that. Any advice on how to proceed please?
14:34 <rbasak> Is it acceptable to hack that during the build, for example?
14:35 <rbasak> Debian unstable doesn't have the same issue. I'm not sure if that means they resolved it differently, chose not to block by policy, or something else.
14:37 <rbasak> I don't see any change for the same issue in Debian, nor a CVE for Ubuntu, so not sure why it's being done in Ubuntu (obviously for security, but I mean more specifically)
14:39 <mdeslaur> upstream imagemagick disabled postscript by default in new versions, and that approach is recommended because of all the code execution issues with postscript
14:39 <mdeslaur> rbasak: why is the kernel generating postscript? for documentation?
14:40 <rbasak> Yes - I believe for docs.
14:40 <rbasak> Not kernel. kannel
14:40 <mdeslaur> oh, misread, one sec
14:40 <rbasak> AFAICT it isn't possible to override except by changing /etc, by design, so I'd need root in the build.
14:40 <rbasak> (so awkward)
14:42 <mdeslaur> there's no reason kannel needs documentation in 4 different formats, my advice would be to stop generating anything other than the html format
14:42 <rbasak> I'd have to maintain a delta in Ubuntu for that - it's not an issue for Debian seemingly.
14:42 <rbasak> Is that something that, wearing your Ubuntu Security Team hat, you think is justified to maintain a delta for?
14:43 <mdeslaur> definitely
14:43 <rbasak> OK
14:43 <mdeslaur> having the desktop automatically execute code embedded in postscript files to generate thumbnails is crazy
14:43 <rbasak> Sure, I get that.
14:43 <rbasak> Though this case is the opposite
14:43 <rbasak> /usr/bin/convert doc/alligata/ 12-5.png doc/alligata/ 12-5.ps
14:44 <rbasak> png -> ps should be safe.
14:44 <mdeslaur> yeah, unfortunately imagemagick doesn't allow disable only reading
14:44 <rbasak> Separately, you might consider everything done in package builds to be safe, if it's OK to assume trusted inputs in that case (and builds are reasonably sandboxed).
14:45 <rbasak> What if, for example, we added a package that provides an override for policy.xml, and build-depended on that?
14:45 <rbasak> Though that would still have to be a delta, it'd be cleaner.
14:46 <rbasak> Users might install that package to work around though, so I can see an argument that it would be dangerous.
14:48 <mdeslaur> let me think about this a minute
14:50 <rbasak> Sure, thanks
15:02 <mdeslaur> rbasak: ok, I still think disabling all the generated documentation beside html is the best approach to this issue. imagemagick 7 disables ps/pdf by default so this problem is going to happen in debian at some point too, and there doesn't seem to be a way to override the security policy with a command line
15:03 <rbasak> mdeslaur: yo...