On Thu, 31 Oct 2019 08:24:26 +0100 Marcus Meissner <meissner@suse.de> wrote:
On Wed, Oct 30, 2019 at 10:39:45PM +0000, Dave Howorth wrote:
On Wed, 30 Oct 2019 17:20:56 -0500 "David C. Rankin" <drankinatty@suddenlinkmail.com> wrote:
Wow!,
ImageMagick is now crippled by default. You have to change security policy to convert a .pdf to a .jpg.
I attempted to convert:
$ convert 20191030_Gohmert.pdf -resize 151 -quality 90 -background white 20191030_Gohmert_thumb.png convert: not authorized `20191030_Gohmert.pdf' @ error/constitute.c/ReadImage/464. convert: no images defined `20191030_Gohmert_thumb.jpg' @ error/convert.c/ConvertImageCommand/3149.
What? I'm not authorized to use convert??
Sadly, it seems that is so:
https://stackoverflow.com/questions/42928765/convertnot-authorized-aaaa-erro...
Changing the security policy file and I can now use it.
Do we really want to ship a broken imagemagick by default?
I'm confused. If I'm reading correctly, the policy settings in ImageMagick (IM) are there to block an exploit in ghostscript (GS), which is used internally by IM. But even on Leap 15.0, I seem to be using v9.26 of GS and there's an update to 9.27 that I haven't applied yet. According to https://www.kb.cert.org/vuls/id/332928/ the underlying bug in GS was fixed in v9.24, so why are these restrictions to IM still in place?
SUSE security still considers ghostscript still too risky to process postscript unguarded.
You can switch to a more relaxed policy locally if you want.
zypper in ImageMagick-config-7-upstream
(Will remove the more strict ImageMagick-config-7-SUSE)
CIao, Marcus
Thanks Marcus :) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org