misguided ImageMagick polixy.xml settings regarding PS/PDF and ignorance about other problematic coders

["Dr. Thomas Orgis" <thomas.orgis%uni-hamburg.de@localhost>]

Hi,

I got pointed at the ImageMagick+ghostscript situtation while testing a
„fresh user“ pkgsrc experience on an Ubuntu laptop (using current CVS).

I tried to install ImageMagick and it failed because the default
dependency of ghostscript-agpl is not compatible with the default value
of ACCEPTED_LICENSES. This is an issue of its own that we hopefully can
address, but it is very comical together with the issue I address here:

We have a problematic depenency on ghostscript-agpl, while the patch on
ImageMagic policy.xml disables any use of ghostscript anyway. Without
user intervention, we could just as well build ImageMagick without this
optional dependency by default to the same effect.

But about this policy.xml change. It does such:

<policy domain="coder" rights="none" pattern="PS" />

I think that is not sensible. The issue is the ghostscript parser being
invoked on unexpected and unsafe input. Is it not? Apart from the
respective bugs being fixed since this addition, care on that front
might be still sensible. But I advocate for a change like this:

<policy domain="coder" rights="write" pattern="PS" />

What is the scenario that makes _creating_ postscript and related files
dangerous? This default of ‘none’ is very annoying for me, for example
when running a script that scans a dozen pages of paper into bitmaps
and then hopes to rescale and combine them into PS using ImageMagick in
one go. The scans go through, the machine crunces the numbers to
optimize the images … and then the thing falls flat because convert is
not allowed to work on my input to produce desired output.


There are other coders that make me more afraid than PS … I see none of
the settings recommended at

	https://imagetragick.com/

being implemented in pkgsrc. I find it appalling that reading a local
image file triggers random file system and even remote access without
warning or explicit command-line switch to allow it. Heck, I think it
is much more inappropriate for something like

	convert https://mpg123.org/pics/logo-current.svg mpg123.png

to even exist as an option, as opposed to fetching the file with wget
or curl and then feeding to convert. The line above produces this on
Ubuntu's convert:

convert-im6.q16: attempt to perform an operation not allowed by the security policy `HTTPS' @ error/delegate.c/InvokeDelegate/1726.
convert-im6.q16: unable to open file `': No existe el archivo o el directorio @ error/constitute.c/ReadImage/599.
convert-im6.q16: no images defined `mpg123.png' @ error/convert.c/ConvertImageCommand/3258.

As a bonus, the png created from the svg by pkgsrc's convert looks
nicely broken. SVG reading as such is allowed in Ubuntu.

	wget https://mpg123.org/pics/logo-current.svg
	convert logo-current.svg mpg123.png

That gives me a correctly generated png. The SVG renderer in pkgsrc's
ImageMagick is also broken in comparison:-/

But that aside, do you

a) agree to commit the attached patch as a first step?
b) wonder about adding more limitations like disabling HTTPS?

On point b), I got a funny note on how little people think about those
config mitigations. You noted that HTTPS is disabled. Observe, with
Ubuntu's convert:

$ convert https://mpg123.org/pics/logo-current.svg mpg123.png
convert-im6.q16: attempt to perform an operation not allowed by the security policy `HTTPS' @ error/delegate.c/InvokeDelegate/1726.
convert-im6.q16: unable to open file `': No existe el archivo o el directorio @ error/constitute.c/ReadImage/599.
convert-im6.q16: no images defined `mpg123.png' @ error/convert.c/ConvertImageCommand/3258.
$ convert http://mpg123.org/pics/logo-current.svg mpg123.png
# just fine

So HTTPS is bad, HTTP is good! Great job securing the world!


Alrighty then,

Thomas

-- 
Dr. Thomas Orgis
HPC @ Universität Hamburg

? imagemagick-policy.patch
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/graphics/ImageMagick/distinfo,v
retrieving revision 1.246
diff -u -r1.246 distinfo
--- distinfo	18 Feb 2021 10:08:39 -0000	1.246
+++ distinfo	3 Apr 2021 10:30:18 -0000
@@ -4,4 +4,4 @@
 RMD160 (ImageMagick-7.0.11-0.tar.xz) = 571101e186939db1e46397ee524fb0adfb1b5c23
 SHA512 (ImageMagick-7.0.11-0.tar.xz) = 484a1f53c0d49359fc41d681ddb3fe5bcd0fa8a9b89db1f6f19df5cba0596ab1d8c035d6e7e8d000370ebdd040c6a50ca3d867cf6e50ac29c03471bc34bb4e0e
 Size (ImageMagick-7.0.11-0.tar.xz) = 10147348 bytes
-SHA1 (patch-config_policy.xml) = 55b8f30200a1e790543f38bf850026100ed5fdca
+SHA1 (patch-config_policy.xml) = 97933d12028a9673ebf60c868f9a931c4cae2d76
Index: patches/patch-config_policy.xml
===================================================================
RCS file: /cvsroot/pkgsrc/graphics/ImageMagick/patches/patch-config_policy.xml,v
retrieving revision 1.8
diff -u -r1.8 patch-config_policy.xml
--- patches/patch-config_policy.xml	4 Jan 2021 10:20:15 -0000	1.8
+++ patches/patch-config_policy.xml	3 Apr 2021 10:30:18 -0000
@@ -14,12 +14,12 @@
 +    -- Disable ghostscript coders as suggested by VU#332928
 +    --  <https://www.kb.cert.org/vuls/id/332928>
 +    -->
-+  <policy domain="coder" rights="none" pattern="PS" />
-+  <policy domain="coder" rights="none" pattern="PS2" />
-+  <policy domain="coder" rights="none" pattern="PS3" />
-+  <policy domain="coder" rights="none" pattern="EPS" />
-+  <policy domain="coder" rights="none" pattern="PDF" />
-+  <policy domain="coder" rights="none" pattern="XPS" />
++  <policy domain="coder" rights="write" pattern="PS" />
++  <policy domain="coder" rights="write" pattern="PS2" />
++  <policy domain="coder" rights="write" pattern="PS3" />
++  <policy domain="coder" rights="write" pattern="EPS" />
++  <policy domain="coder" rights="write" pattern="PDF" />
++  <policy domain="coder" rights="write" pattern="XPS" />
 +
    <!-- <policy domain="system" name="shred" value="2"/> -->
    <!-- <policy domain="system" name="precision" value="6"/> -->