Topics

Using Imagemagick (Ghostscript) on cflinuxfs3 #cf

Markus Tanner
 

Hi

I'm using the nodejs-buildpack together with the cflinuxfs3 stack. I would like to convert PDF documents to JPEG images.
In order to do this I'm using Imagemagick together with Ghostscript.

cflinuxfs3 uses the following Ubuntu package: 6.9.7.4+dfsg-16ubuntu6.4
Unfortunately there's a security issue with Ghostscript in this version. Because of that the Ghostscript handled types are disabled in policy.xml.
See https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.7.4+dfsg-16ubuntu6.4

I'd like to override the policy.xml (/etc/ImageMagick-6/policy.xml). 
But I would need root permissions for that, which I don't have.

Unfortunately my CF provider couldn't help me with that problem.
Does anyone here know a workaround for this?

Thanks in advance
Markus


Daniel Mikusa
 

This seems to indicate that ImageMagick will search in multiple locations.


When I run that on cflinuxfs3, I get..

  Searching for configure file: "/usr/share/ImageMagick-6.7.7/magic.xml"
  Searching for configure file: "/usr/lib/x86_64-linux-gnu/ImageMagick-6.7.7/config/magic.xml"
  Searching for configure file: "/etc/ImageMagick/magic.xml"
  Searching for configure file: "/usr/share/doc/ImageMagick-6.7.7/magic.xml"
  Searching for configure file: "/home/vcap/.magick/magic.xml"

I would try putting your policy file into `/home/vcap/.magick/`. That's the only path that will be writable to the vcap user.

Dan


On Wed, Jan 30, 2019 at 8:03 AM Markus Tanner <markus.tanner@...> wrote:
Hi

I'm using the nodejs-buildpack together with the cflinuxfs3 stack. I would like to convert PDF documents to JPEG images.
In order to do this I'm using Imagemagick together with Ghostscript.

cflinuxfs3 uses the following Ubuntu package: 6.9.7.4+dfsg-16ubuntu6.4
Unfortunately there's a security issue with Ghostscript in this version. Because of that the Ghostscript handled types are disabled in policy.xml.
See https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.7.4+dfsg-16ubuntu6.4

I'd like to override the policy.xml (/etc/ImageMagick-6/policy.xml). 
But I would need root permissions for that, which I don't have.

Unfortunately my CF provider couldn't help me with that problem.
Does anyone here know a workaround for this?

Thanks in advance
Markus


Markus Tanner
 

Thanks for your suggestion.
I've tried something similar already.

Unfortunately overrides only work if they are more restrictive.

The default config looks like this:
  <policy domain="coder" rights="none" pattern="PS" />
  <policy domain="coder" rights="none" pattern="PDF" />

I would need to change it to this:
  <policy domain="coder" rights="read|write" pattern="PS" />
  <policy domain="coder" rights="read|write" pattern="PDF" />

But changing the policy only works other way round, from read|write to none.
So putting the policy in ~/.magick/ unfortunately has no effect.

Mike Youngstrom
 

We ran into the same problem and had to do a custom build of imagemagick and distribute it with the application.  Later versions of cflinuxfs2 have the same security fix.  If anyone can come up with a better solution I'd like to hear it.

Mike

On Wed, Jan 30, 2019 at 7:12 AM Markus Tanner <markus.tanner@...> wrote:
Thanks for your suggestion.
I've tried something similar already.

Unfortunately overrides only work if they are more restrictive.

The default config looks like this:
  <policy domain="coder" rights="none" pattern="PS" />
  <policy domain="coder" rights="none" pattern="PDF" />

I would need to change it to this:
  <policy domain="coder" rights="read|write" pattern="PS" />
  <policy domain="coder" rights="read|write" pattern="PDF" />

But changing the policy only works other way round, from read|write to none.
So putting the policy in ~/.magick/ unfortunately has no effect.