Page MenuHome GnuPG
Create Task
Maniphest T4280

gnupg doc doesn't build due to ImageMagick default policy
Closed, ResolvedPublic
Actions

Description

Hi,

In latest Ubuntu (docker image), the default policy for ImageMagick is to forbid SVG-to-PDF conversion with convert, causing the build to fail with:

Making all in doc
convert `test -f '/gnupg/doc/gnupg-module-overview.svg' || echo '/gnupg/doc/'`/gnupg/doc/gnupg-module-overview.svg gnupg-module-overview.png
convert `test -f '/gnupg/doc/gnupg-module-overview.svg' || echo '/gnupg/doc/'`/gnupg/doc/gnupg-module-overview.svg gnupg-module-overview.pdf
fig2dev -L png `test -f '/gnupg/doc/gnupg-card-architecture.fig' || echo '/gnupg/doc/'`/gnupg/doc/gnupg-card-architecture.fig gnupg-card-architecture.png
fig2dev -L pdf `test -f '/gnupg/doc/gnupg-card-architecture.fig' || echo '/gnupg/doc/'`/gnupg/doc/gnupg-card-architecture.fig gnupg-card-architecture.pdf
convert-im6.q16: not authorized `gnupg-module-overview.pdf' @ error/constitute.c/WriteImage/1037.

More info on ImageMagick policy files here. The policy changes were added to ImageMagick in response to several vulnerabilities reported here. Ubuntu advisory here.

Revisions and Commits

rG GnuPG
rG58bab1a8784b doc: Dependencies for figures are only for maintainers.

Event Timeline

marcus created this task.Dec 5 2018, 3:55 PM
werner added a subscriber: werner.Dec 6 2018, 9:29 AM

ImageMagick version with that regression?

werner triaged this task as Normal priority.Dec 12 2018, 9:16 AM
werner added projects: Info Needed, Documentation, gnupg.
gniibe added a subscriber: gniibe.Dec 17 2018, 10:57 AM

It seems it's Ubuntu specific: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1796563

I don't know the reason why it's still like that after Ghostscript fix.

matheusmoreira added a subscriber: matheusmoreira.May 9 2019, 8:22 PM
gniibe added a commit: rG58bab1a8784b: doc: Dependencies for figures are only for maintainers..Jul 12 2019, 10:25 AM
gniibe changed the task status from Open to Testing.Jul 12 2019, 1:34 PM

I disabled the dependency rules for the figures (it's only enabled for maintainers).

It is only enabled with --enable-maintainer-mode, who should be responsible to the .svg file security problem, if any, and should have secure version of ImageMagick or Ghostscript.

It's unfortunate that the version of Ubuntu was released in such a situation, but that's not our fault, and this handling is what we can do.

Distributed .tar.bz2 doesn't need the dependency rules as the generated files are also included, so, this is no harm for people who build from the tar ball.

gniibe closed this task as Resolved.Dec 6 2019, 3:04 AM
gniibe claimed this task.