Le mer. 1 sept. 2021 à 08:21, Tomas Pospisek <t...@sourcepole.ch> a écrit : > > Dear ImageMagick Packaging Team, > > Short version: is it safe today to reenable PDF/PS conversion again these > days? > > Long version: > > Today I was affected by the problem reported in [1], notably: > > convert: attempt to perform an operation not allowed by the security > policy `PDF' @ error/constitute.c/IsCoderAuthorized/408. > > When I check /etc/ImageMagick-6/policy.xml I see that plenty of > conversions to/from (?) PDF/(E)PS* are apparently disabled by default as > delivered by Debian. Which actually covers part of the requests in this > (#907336) bugreport. > > The mentioned stackoverflow Q&A however mentions that: > > > Make sure ghostscript is updated kb.cert.org/vuls/id/332928 > > Which refers to a fix in Ghostscript 9.24 which is ages ago when compared > to the Ghostscript version 9.53 currently in Debian stable. > > I have *zero* insight into the issues leading to PDF/PS conversion being > disabled in Debian and if they still are relevant and still are of > the same concern as they were at the times before Ghostscript 9.24. > > Or posed differently: does it make sense to reevaluate these issues and - > if it turns out they are of no concern any more today - could the > respective converters be re-enabled by default again?
No it will not renable by default. The best will be to have a debconf question and let the user accept the risk. Postscript is turing complete so it is easy to do a DOS. it should be documented Patch welcome Bastien > Thanks a lot for maintaining ImageMagick! Greetings, > *t > > [1] > https://stackoverflow.com/questions/52998331/imagemagick-security-policy-pdf-blocking-conversion >
