8:6.8.9.9-7ubuntu5.13 breaks convert with no explanation

Bug #1796563 reported by Steve Dodd on 2018-10-07
124
This bug affects 24 people
Affects Status Importance Assigned to Milestone
imagemagick (Ubuntu)
Undecided
Unassigned

Bug Description

8:6.8.9.9-7ubuntu5.13 breaks the convert command as used by my home-brew document management system:

$ convert -density 200 -quality 40 null: 10-07-dvla.pdf 10-07-dvla.jpg
convert: not authorized `10-07-dvla.pdf' @ error/constitute.c/ReadImage/412.

I appreciate that this is likely a security fix for something, but I can find no useful information in the changelog.Debian or NEWS files on what has changed, and what I should do to restore previous functionality.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: imagemagick 8:6.8.9.9-7ubuntu5.13
ProcVersionSignature: Ubuntu 4.15.0-33.36-generic 4.15.18
Uname: Linux 4.15.0-33-generic x86_64
NonfreeKernelModules: qnx4 hfsplus hfs minix ntfs jfs i915 snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp snd_hda_codec_realtek snd_hda_codec_generic dcdbas snd_hda_intel snd_hda_codec snd_hda_core intel_cstate dell_wmi intel_rapl_perf dell_smbios_wmi dell_smbios wmi_bmof sparse_keymap dell_wmi_descriptor cp210x usbserial mei_me mei shpchp intel_pch_thermal mac_hid vhci_hcd usbip_core r8169 wmi
ApportVersion: 2.20.1-0ubuntu2.18
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Oct 7 14:35:08 2018
InstallationDate: Installed on 2017-01-08 (637 days ago)
InstallationMedia: Xubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
SourcePackage: imagemagick
UpgradeStatus: No upgrade log present (probably fresh install)

Steve Dodd (anarchetic) wrote :

The package changelog mentions this:

* SECURITY UPDATE: code execution vulnerabilities in ghostscript as
  invoked by imagemagick
  - debian/patches/200-disable-ghostscript-formats.patch: disable
    ghostscript handled types by default in policy.xml

https://bugs.launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.13

Steve Dodd (anarchetic) wrote :

Yeah, but it's not immediately obvious if you're not familiar with imagemagick internals (I certainly didn't know what policy.xml was), and it's part of 70 lines of changes.

Given this is flat out disabling a big chunk of functionality in something frequently used as part of other programs / scripts, in an LTS release, a mention in NEWS or README or something might be an idea. Or at least a more verbose changelog entry.

Is this the recommended long-term solution to whatever the underlying vulnerability is, or is it a stop-gap until something else - I assume ghostscript - is properly patched?

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in imagemagick (Ubuntu):
status: New → Confirmed
tags: added: regression-security
Sadi Yumuşak (sa-yu) wrote :

I guess this shows that I suffer from the same issue when trying to convert image file(s) to pdf:

8:6.9.7.4+dfsg-16ubuntu6.4

convert-im6.q16: not authorized `filename.pdf' @ error/constitute.c/WriteImage/1037.

Steve Dodd (anarchetic) wrote :

Sadi, if you're willing to take the risk, you can comment the appropriate line in /etc/ImageMagick-6/policy.xml ..

Amir (amiryal) wrote :

Here is an alternative to `convert document.pdf image.jpg`:

    pdftoppm -jpeg document.pdf image

Note: pdftoppm is coming from poppler-utils
Note: the generated output path is not 1:1 with convert, so adjust any scripts using it

Can someone suggest an alternative to the reverse operation, `convert image.jpg document.pdf`? Thanks!

img2pdf seem to do the job for the reverse operation nicely...

S.

Amir <email address hidden> wrote:
> Here is an alternative to `convert document.pdf image.jpg`:
>
> pdftoppm -jpeg document.pdf image
>
> Note: pdftoppm is coming from poppler-utils
> Note: the generated output path is not 1:1 with convert, so
> adjust any scripts using it
>
> Can someone suggest an alternative to the reverse operation,
> `convert image.jpg document.pdf`? Thanks!
>

Tim Donohue (tdonohue) wrote :

For what it's worth, we ran into this issue today as well. It looks like the related Ghostscript vulnerability is detailed here: https://www.kb.cert.org/vuls/id/332928

While the release notes are not exactly *clear*, Ghostscript v9.25 seems to make reference to fixing some vulnerabilities of this sort: https://www.ghostscript.com/doc/9.25/News.htm

Just adding in this information in case it's helpful to others encountering this. I admit, I have no verification that Ghostscript v9.25 fixes the vulnerability. So, only comment out these new ImageMagick configurations at your own risk.

Hello,

I am running Ubuntu 18.04.2 LTS (bionic) with ghostcript version 9.26.

Per the document https://www.kb.cert.org/vuls/id/332928/, the vulnerability in question seems to have been fixed in version 9.24 itself.

Isn't it time to have the policy.xml changes adjusted and any other changes done as required so the 'convert (to PDF)' starts working as always?

I'm interested in doing the work and any related tests if availability is the only concern here. Would someone kindly guide me in that case?

Thanks,
Shashank

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers