[opensuse] imagemagick convert
Wow!, ImageMagick is now crippled by default. You have to change security policy to convert a .pdf to a .jpg. I attempted to convert: $ convert 20191030_Gohmert.pdf -resize 151 -quality 90 -background white 20191030_Gohmert_thumb.png convert: not authorized `20191030_Gohmert.pdf' @ error/constitute.c/ReadImage/464. convert: no images defined `20191030_Gohmert_thumb.jpg' @ error/convert.c/ConvertImageCommand/3149. What? I'm not authorized to use convert?? Sadly, it seems that is so: https://stackoverflow.com/questions/42928765/convertnot-authorized-aaaa-erro... Changing the security policy file and I can now use it. Do we really want to ship a broken imagemagick by default? -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 30 Oct 2019 17:20:56 -0500 "David C. Rankin" <drankinatty@suddenlinkmail.com> wrote:
Wow!,
ImageMagick is now crippled by default. You have to change security policy to convert a .pdf to a .jpg.
I attempted to convert:
$ convert 20191030_Gohmert.pdf -resize 151 -quality 90 -background white 20191030_Gohmert_thumb.png convert: not authorized `20191030_Gohmert.pdf' @ error/constitute.c/ReadImage/464. convert: no images defined `20191030_Gohmert_thumb.jpg' @ error/convert.c/ConvertImageCommand/3149.
What? I'm not authorized to use convert??
Sadly, it seems that is so:
https://stackoverflow.com/questions/42928765/convertnot-authorized-aaaa-erro...
Changing the security policy file and I can now use it.
Do we really want to ship a broken imagemagick by default?
I'm confused. If I'm reading correctly, the policy settings in ImageMagick (IM) are there to block an exploit in ghostscript (GS), which is used internally by IM. But even on Leap 15.0, I seem to be using v9.26 of GS and there's an update to 9.27 that I haven't applied yet. According to https://www.kb.cert.org/vuls/id/332928/ the underlying bug in GS was fixed in v9.24, so why are these restrictions to IM still in place? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Oct 30, 2019 at 10:39:45PM +0000, Dave Howorth wrote:
On Wed, 30 Oct 2019 17:20:56 -0500 "David C. Rankin" <drankinatty@suddenlinkmail.com> wrote:
Wow!,
ImageMagick is now crippled by default. You have to change security policy to convert a .pdf to a .jpg.
I attempted to convert:
$ convert 20191030_Gohmert.pdf -resize 151 -quality 90 -background white 20191030_Gohmert_thumb.png convert: not authorized `20191030_Gohmert.pdf' @ error/constitute.c/ReadImage/464. convert: no images defined `20191030_Gohmert_thumb.jpg' @ error/convert.c/ConvertImageCommand/3149.
What? I'm not authorized to use convert??
Sadly, it seems that is so:
https://stackoverflow.com/questions/42928765/convertnot-authorized-aaaa-erro...
Changing the security policy file and I can now use it.
Do we really want to ship a broken imagemagick by default?
I'm confused. If I'm reading correctly, the policy settings in ImageMagick (IM) are there to block an exploit in ghostscript (GS), which is used internally by IM. But even on Leap 15.0, I seem to be using v9.26 of GS and there's an update to 9.27 that I haven't applied yet. According to https://www.kb.cert.org/vuls/id/332928/ the underlying bug in GS was fixed in v9.24, so why are these restrictions to IM still in place?
SUSE security still considers ghostscript still too risky to process postscript unguarded. You can switch to a more relaxed policy locally if you want. zypper in ImageMagick-config-7-upstream (Will remove the more strict ImageMagick-config-7-SUSE) CIao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 31 Oct 2019 08:24:26 +0100 Marcus Meissner <meissner@suse.de> wrote:
On Wed, Oct 30, 2019 at 10:39:45PM +0000, Dave Howorth wrote:
On Wed, 30 Oct 2019 17:20:56 -0500 "David C. Rankin" <drankinatty@suddenlinkmail.com> wrote:
Wow!,
ImageMagick is now crippled by default. You have to change security policy to convert a .pdf to a .jpg.
I attempted to convert:
$ convert 20191030_Gohmert.pdf -resize 151 -quality 90 -background white 20191030_Gohmert_thumb.png convert: not authorized `20191030_Gohmert.pdf' @ error/constitute.c/ReadImage/464. convert: no images defined `20191030_Gohmert_thumb.jpg' @ error/convert.c/ConvertImageCommand/3149.
What? I'm not authorized to use convert??
Sadly, it seems that is so:
https://stackoverflow.com/questions/42928765/convertnot-authorized-aaaa-erro...
Changing the security policy file and I can now use it.
Do we really want to ship a broken imagemagick by default?
I'm confused. If I'm reading correctly, the policy settings in ImageMagick (IM) are there to block an exploit in ghostscript (GS), which is used internally by IM. But even on Leap 15.0, I seem to be using v9.26 of GS and there's an update to 9.27 that I haven't applied yet. According to https://www.kb.cert.org/vuls/id/332928/ the underlying bug in GS was fixed in v9.24, so why are these restrictions to IM still in place?
SUSE security still considers ghostscript still too risky to process postscript unguarded.
You can switch to a more relaxed policy locally if you want.
zypper in ImageMagick-config-7-upstream
(Will remove the more strict ImageMagick-config-7-SUSE)
CIao, Marcus
Thanks Marcus :) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/31/19 7:05 AM, Dave Howorth wrote:
On Thu, 31 Oct 2019 08:24:26 +0100 Marcus Meissner <meissner@suse.de> wrote:
...
SUSE security still considers ghostscript still too risky to process postscript unguarded.
You can switch to a more relaxed policy locally if you want.
zypper in ImageMagick-config-7-upstream
(Will remove the more strict ImageMagick-config-7-SUSE)
CIao, Marcus
Thanks Marcus :)
What happened to the good old days when we were allowed to shoot ourselves in the foot. :-)) -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/31/2019 10:04 AM, Ken Schneider - openSUSE wrote:
What happened to the good old days when we were allowed to shoot ourselves in the foot. :-))
Our feet hurt.... but we dealt with it. Then there was the while feets-rights movement, and feet-are-people-too campaign which resulted in the both-feet-protection-act becoming law and now we have to jump though hoops just to post a thumbnail of a letter faxed to Congress on the website :p -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 31/10/2019 23.00, David C. Rankin wrote:
On 10/31/2019 10:04 AM, Ken Schneider - openSUSE wrote:
What happened to the good old days when we were allowed to shoot ourselves in the foot. :-))
Our feet hurt.... but we dealt with it.
Then there was the while feets-rights movement, and feet-are-people-too campaign which resulted in the both-feet-protection-act becoming law and now we have to jump though hoops just to post a thumbnail of a letter faxed to Congress on the website :p
Yeah, I know. Life is a pain sometimes. You did not read the lists, this was spoken about a lot. Several threads. The first one I saw was when someone noticed that apparmour became mandatory. Yes, something related to postscript had to be protected by AA in case it started shooting feet. AA can not be uninstalled. Whaaat? Well... It has to be so. - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXbt5UgAKCRC1MxgcbY1H 1V5YAJ9A23k4oGzVmoix6dAYIXeoH3lFbACfQl1wykzjZzjY1wu3VJlALm1uNS8= =chxh -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 30/10/2019 23.20, David C. Rankin wrote:
Wow!,
ImageMagick is now crippled by default. You have to change security policy to convert a .pdf to a .jpg.
...
Changing the security policy file and I can now use it.
Do we really want to ship a broken imagemagick by default?
Yes. Has been explained a lot. There should be a readme. - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXbrNRQAKCRC1MxgcbY1H 1ZhwAJ9lRjbG5ODaZnxAeWBb8QALAEo+JQCbB4aCpvm8QMvdbmpUOYABXZlirSQ= =Rgfi -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Carlos E. R. -
Dave Howorth -
David C. Rankin -
Ken Schneider - openSUSE -
Marcus Meissner