gnupg doc doesn't build due to ImageMagick default policy
Testing, NormalPublic

Description

Hi,

In latest Ubuntu (docker image), the default policy for ImageMagick is to forbid SVG-to-PDF conversion with convert, causing the build to fail with:

Making all in doc
convert `test -f '/gnupg/doc/gnupg-module-overview.svg' || echo '/gnupg/doc/'`/gnupg/doc/gnupg-module-overview.svg gnupg-module-overview.png
convert `test -f '/gnupg/doc/gnupg-module-overview.svg' || echo '/gnupg/doc/'`/gnupg/doc/gnupg-module-overview.svg gnupg-module-overview.pdf
fig2dev -L png `test -f '/gnupg/doc/gnupg-card-architecture.fig' || echo '/gnupg/doc/'`/gnupg/doc/gnupg-card-architecture.fig gnupg-card-architecture.png
fig2dev -L pdf `test -f '/gnupg/doc/gnupg-card-architecture.fig' || echo '/gnupg/doc/'`/gnupg/doc/gnupg-card-architecture.fig gnupg-card-architecture.pdf
convert-im6.q16: not authorized `gnupg-module-overview.pdf' @ error/constitute.c/WriteImage/1037.

More info on ImageMagick policy files here. The policy changes were added to ImageMagick in response to several vulnerabilities reported here. Ubuntu advisory here.

marcus created this task.Dec 5 2018, 3:55 PM
werner added a subscriber: werner.Dec 6 2018, 9:29 AM

ImageMagick version with that regression?

werner triaged this task as Normal priority.
gniibe added a subscriber: gniibe.Dec 17 2018, 10:57 AM

It seems it's Ubuntu specific: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1796563

I don't know the reason why it's still like that after Ghostscript fix.

gniibe changed the task status from Open to Testing.Fri, Jul 12, 1:34 PM

I disabled the dependency rules for the figures (it's only enabled for maintainers).

It is only enabled with --enable-maintainer-mode, who should be responsible to the .svg file security problem, if any, and should have secure version of ImageMagick or Ghostscript.

It's unfortunate that the version of Ubuntu was released in such a situation, but that's not our fault, and this handling is what we can do.

Distributed .tar.bz2 doesn't need the dependency rules as the generated files are also included, so, this is no harm for people who build from the tar ball.