[opensuse-factory] LyX and ImageMagick
Hi all, A week ago I asked on this list about ImageMagick's security settings, because it is an issue when using LyX. A follow-up question: would it be acceptable if LyX requires/recommends ImageMagick-config-7-upstream instead of going with the default? This question comes from one of the main developers of LyX, in whose opinion LyX with a crippled ImageMagick is not really usable and when we leave it to the (informed) user to make the change, we make it more difficult for average users. It is about a balance between security and usability. I am not a security expert, so I will accept the verdict given, but for the sake of the ease of the use of LyX I wanted to ask. To give context: we hardly get bug reports for LyX on openSUSE, but for a non-working eps preview we got a bug report. Thanks, Cor -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mittwoch, 10. Juli 2019 21:10:20 CEST Cor Blom wrote:
Hi all,
A week ago I asked on this list about ImageMagick's security settings, because it is an issue when using LyX.
A follow-up question: would it be acceptable if LyX requires/recommends ImageMagick-config-7-upstream instead of going with the default?
This question comes from one of the main developers of LyX, in whose opinion LyX with a crippled ImageMagick is not really usable and when we leave it to the (informed) user to make the change, we make it more difficult for average users.
I wouldn't call it crippled, but hardened ... I would even recommend doing the opposite, recommend the *secure* config, not exposing the user to known security problems. LyX can work properly even without EPS/PS support, just use PNG, JPEG (or almost any other raster format) or PDF (which e.g. SVG can be converted to) for graphics and illustrations. LyX could also warn the user if an image is only available as (E)PS, and tell the user how to convert it to e.g. PDF, iff the source is trusted. It could also detect if the EPS support in ImageMagick has been disabled (just create a 3 line PS file with just a black rectangle, and check the conversion result). Just my 2¢, Stefan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, oly a side note FYI On Jul 10 20:39 Brüns, Stefan wrote (excerpt):
LyX can work properly even without EPS/PS support, just use PNG, JPEG (or almost any other raster format) or PDF (which e.g. SVG can be converted to) for graphics and illustrations.
I don't know about the details or internals of LyX but in general PDF is not a secure data format because a PDF file is also a program (to some extent - PDF is not a Turing-complete programming language as PostScript), cf. "It is crucial to limit access to CUPS to trusted users" at https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings There are basically same number of security exploits for Ghostscript written in PDF as in PostScript. You may also have a look at "PostScript versus PDF as standard print job format" at https://en.opensuse.org/Concepts_printing therein in particular the part about "There is no such thing as THE PDF format" Also remember the endless sequence of security issues with the Adobe Reader which proves that (at least in practice) PDF is not (and will not be) a secure data format. And to make all that stuff look finally hopeless: I remember security issues with much simpler (graphic) data formats where a maliciously crafted file made certain processing software misbehave (e.g. segfault) and any misbehaviour of a software could be misused to let the software do "bad things". The root cause is that for any processing software its input is some kind of program (with limited intended functionality) that controls what the processing software does so in the end all is about processing arbitrary kind of "programs" from possibly untrusted origin. Just happily let your browser automatically process all those tons of various kind of input data that it gets downloaded from that "nice and friendly Internet out there" ;-)
From my personal point of view the generic root cause is https://en.wikipedia.org/wiki/Software_bloat and in particular a violation of RFC 1925 items 5 and 6a.
Accordingly the generic solution should be along with https://en.wikipedia.org/wiki/KISS_principle and in particular https://en.wikipedia.org/wiki/Unix_philosophy I think this will not happen in foreseeable future. But hope dies last... Kind Regards Johannes Meixner -- SUSE LINUX GmbH - HRB 21284 (AG Nuernberg) GF: Felix Imendoerffer, Mary Higgins, Sri Rasiah
Op 10-07-19 om 22:39 schreef Brüns, Stefan:
LyX could also warn the user if an image is only available as (E)PS, and tell the user how to convert it to e.g. PDF, iff the source is trusted. It could also detect if the EPS support in ImageMagick has been disabled (just create a 3 line PS file with just a black rectangle, and check the conversion result).
Just my 2¢,
Thanks for your input. As Johanness already replied, PDF is not really safer and it is also disabled in ImageMagick by default in (open)SUSE. You are right that the error message (because there is one) could be clearer. Maybe I can convince the LyX devs of that. I don't want to make openSUSE less secure. But I am also aware that when PS or PDF does not work in LyX (or anywhere else), users will look for solutions. The one who reported the bug did so and thought installing kimageformats-eps was the solution (apparently totally unaware that there is a security reason for not installing that). We can be pessimistic about solutions and do nothing, but that is not really me. I know there is no perfect solution here. What I am looking for is how to inform the (less advanced) user and direct him in a direction that he can make an informed choice and risk. Not all users will be interested in this, but there are those who are, who try to be responsible, but also need some work done. Offering the option to install an alternative configuration, that at least upstream ImageMagick devs think is ok, is the only way to go. But I don't want to enforce this on LyX users, so recommending this in the main package is not an option (I myself am fine using LyX with the default SUSE hardening). Let's see for now what happens. If more reports are made about this issue, either in bugzilla, or mailing-lists, or forums, then I will give it some further thought. (Is ghostscript also considered unsafe? In my workflow having this installed is unavoidable. I would then need to remove hplip and gimp, a.o. But that is not for this list.) Thanks for all input, Cor -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, On Jul 11 15:08 Cor Blom wrote (excerpt):
Is ghostscript also considered unsafe?
Ghostscript is "by design" insecure because it runs PostScript programs and PDFs, see the explanation about Ghostscript and PostScript/PDF programs in the section "It is crucial to limit access to CUPS to trusted users" in https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings Therefore Ghostscript's generic insecurity is the root cause why processing of PostScript and PDF input is disabled in ImageMagick by default in openSUSE because to process PostScript and PDF input ImageMagick calls Ghostscript which means the user who runs ImageMagick runs a PostScript program or a PDF "program". In general it won't matter what PostScript or PDF interpreter is used to process PostScript or PDF - in any case it means the user must run a PostScript or PDF program. So the root cause behind is that e.g. "just show some graphics" sometimes means one must run programs (from untrusted origin). Kind Regards Johannes Meixner -- SUSE LINUX GmbH - HRB 21284 (AG Nuernberg) GF: Felix Imendoerffer, Mary Higgins, Sri Rasiah -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (3)
-
Brüns, Stefan
-
Cor Blom
-
Johannes Meixner