Re: ImageMagick security settings in openSUSE

Wed, 10 Jul 2019 06:49:16 -0700 

Op 10-07-19 om 15:30 schreef Pavel Sanda:

On Wed, Jul 03, 2019 at 03:43:06PM +0200, Cor Blom wrote:

Dear LyX devs,

Because of the following bug

https://bugzilla.opensuse.org/show_bug.cgi?id=1139928

I have become aware of the strict security settings in openSUSE which
limits capabilities of ImageMagick. There is an alternative setting that
the user can activate, but most users will not know this.


Is this security measure sideeffect of ghostscript problems from last september?

As far as I understood the total ban of conversions was just temporary measure
which should be lifted once the individual CVEs were resolved. I believe both
upstream and other distros already lifted it.


I am just writing this, so you are aware of this. I don't know a solution.


In decreasing order:
- Can't you just file suse-related bug to remove the ban?
- Can't you pull/set different IM config iff lyx is installed?
- Can't you trigger some message if lyx is installed so user is at least know
   how to fix it.

If nothing of this work, we could add some note to our release notes
that users of open suse need to fix IM settings.

Pavel
The following message describes the situation for openSUSE Leap 15.0, but it is also true for 15.1 and Tumbleweed: 

https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00010.html
In short: the user can install an alternative configuration for IM that enables postscript related stuff (and other things), following upstream IM setting. The default SUSE setting are very strict.
I have added a README.SUSE to the package and refer to that in the description that explains the situation and tells the user the options he has. It has been discussed on the openSUSE Factory mailinglist, but the suggestion how to inform users is what I have done. See: 

https://build.opensuse.org/request/show/713564
I came accross this because a bug was filed that eps preview was not working. This is not really my area of expertise. As far as I can see, the situation in (open)SUSE will remain as it is. This means the user either installs an alternative configuration for ImageMagick, or edits security pollicy settings for IM manually.
In general postscript does not work out of the box on openSUSE for security reasons nowadays, but the user can enable this by installing additional packages.
I hope this give enough information. There is not much more that can be done. Maybe this information can be added to the LyX wiki also? 

Kind regards,

Cor

Reply via email to