Page 1 of 1

Ghostscript/ImageMagic: serious vulnerability (patched)

Posted: 23 Aug 2018 01:12
by ilu
From ... il?id=1640:
I sent the following mail to the oss-security mailing list:
These are critical and trivial remote code execution bugs in things like ImageMagick, Evince, GIMP, and most other PDF/PS tools.
... <snip>
TL;DR: I *strongly* suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default.
Is the workaround applied to /etc/ImageMagick/policy.xml - /etc/ImageMagick-6/ in our case?

Code: Select all

    <policy domain="coder" rights="none" pattern="PS" />
    <policy domain="coder" rights="none" pattern="PS2" />
    <policy domain="coder" rights="none" pattern="PS3" />
    <policy domain="coder" rights="none" pattern="EPS" />
    <policy domain="coder" rights="none" pattern="PDF" />
    <policy domain="coder" rights="none" pattern="XPS" />
PDF is a generally dangerous file format by design. Never open PDFs from untrusted sources!

Re: Ghostscript/ImageMagic: serious vulnerability

Posted: 23 Aug 2018 06:46
by Arjen Balfoort
If we set these as suggested, does it mean that users won't be able to create/edit those file types?

Re: Ghostscript/ImageMagic: serious vulnerability

Posted: 23 Aug 2018 16:07
by ilu
Not with imagemagick or any tools that use it - I think,
I'm not sure what to make of his suggestion. He was originally talking about this on some mailinglist for distro maintainers (no idea which one). So I think his advice is targeted at desktop systems not just servers. I'll discuss this tonight (edit: no results).

We might wait for a fix but I'm not sure that'll be coming soon. I can't even find the bug at debian. No reaction from ghostscript developers, it's not in their bugs database.

We might say. PDFs are already that dangerous by design that we don't care about some CVE. even suggests to remove ghostscript. That would seriously impact everybodies workflow.

More info: ... ms/136800/

Re: Ghostscript/ImageMagic: serious vulnerability

Posted: 08 Sep 2018 17:55
by ilu
GS got patched today, so prpblem solved.