:: Re: [DNG] Security Policies
Góra strony
Delete this message
Reply to this message
Autor: Benjamin Riefenstahl
Data:  
Dla: Ken Dibble
CC: dng
Temat: Re: [DNG] Security Policies
Hi Ken,

Ken Dibble writes:
>>> The first thought was the 'convert' tool from imagemagick.?? It
>>> would not allow me to change the jpegs to pdf.???? The reason given
>>> was imagemagick security policy.


> My post was more about the insanity behind this and whether anyone is
> going to do anything about it.


Actually, there was a vulerability found some years ago where using
ImageMagick (or rather Ghostscript, the delegate for PDF and Postscript)
was a component of the scenario. See
<https://stackoverflow.com/questions/52998331/imagemagick-security-policy-pdf-blocking-conversion>,
<https://www.kb.cert.org/vuls/id/332928/>.

I'd say the problem was real for PDF as input (like random stuff you
find on the internet), but I do not think it was real for PDF as output.
I'm guessing that ImageMagick only had the rather blunt tool of
disabling PDF and PS altogether to mitigate here.

See <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964090> about the
state of things in Debian.

Hope this helps,
benny