gnupg doc doesn't build due to ImageMagick default policy
Open, NormalPublic



In latest Ubuntu (docker image), the default policy for ImageMagick is to forbid SVG-to-PDF conversion with convert, causing the build to fail with:

Making all in doc
convert `test -f '/gnupg/doc/gnupg-module-overview.svg' || echo '/gnupg/doc/'`/gnupg/doc/gnupg-module-overview.svg gnupg-module-overview.png
convert `test -f '/gnupg/doc/gnupg-module-overview.svg' || echo '/gnupg/doc/'`/gnupg/doc/gnupg-module-overview.svg gnupg-module-overview.pdf
fig2dev -L png `test -f '/gnupg/doc/gnupg-card-architecture.fig' || echo '/gnupg/doc/'`/gnupg/doc/gnupg-card-architecture.fig gnupg-card-architecture.png
fig2dev -L pdf `test -f '/gnupg/doc/gnupg-card-architecture.fig' || echo '/gnupg/doc/'`/gnupg/doc/gnupg-card-architecture.fig gnupg-card-architecture.pdf
convert-im6.q16: not authorized `gnupg-module-overview.pdf' @ error/constitute.c/WriteImage/1037.

More info on ImageMagick policy files here. The policy changes were added to ImageMagick in response to several vulnerabilities reported here. Ubuntu advisory here.

marcus created this task.Dec 5 2018, 3:55 PM
werner added a subscriber: werner.Dec 6 2018, 9:29 AM

ImageMagick version with that regression?

werner triaged this task as Normal priority.
gniibe added a subscriber: gniibe.Dec 17 2018, 10:57 AM

It seems it's Ubuntu specific:

I don't know the reason why it's still like that after Ghostscript fix.