Ghostscript security issues and hardening ImageMagick and GraphicsMagick

  • 7023657
  • 21-Jan-2019
  • 08-Feb-2019

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11

Situation

Researchers have discovered various security issues in the ghostscript PostScript interpreter, which could lead to crashes or even code execution. The known issues have been fixed in ghostscript releases 9.25 and 9.26 respectively. However, due to the complexity of the language and the interpreter codebase, it is very likely that more security issues will surface.

The ghostscript interpreter is used by ImageMagick and GraphicsMagick to convert Postscript and similar formats into images.

As both ImageMagick and GraphicsMagick are commonly used in data processing pipelines that process untrusted input, the risk of exploitation was, and still is, high.

This affects all customers processing PostScript files using ImageMagick or GraphicsMagick.

Resolution

Due to the above risks, SUSE has decided to temporary disable the ghostscript using decoders by default, either by using the policy.xml config file, or by moving away the coders.

Re-enabling disabled codecs :

To re-enable the codecs on SUSE Linux Enterprise 12 and 15, adjust the following lines to use "readwrite" instead of "write":

<policy domain="coder" rights="write" pattern="PS" />
<policy domain="coder" rights="write" pattern="PS2" />
<policy domain="coder" rights="write" pattern="PS3" />
<policy domain="coder" rights="write" pattern="PDF" />
<policy domain="coder" rights="write" pattern="XPS" />
<policy domain="coder" rights="write" pattern="EPS" />

In the following files :
  • for SUSE Linux Enterprise 15: 
/etc/ImageMagick-7_Q16HDRI6/policy.xml
  • for SUSE Linux Enterprise 12: 
/etc/ImageMagick-6/policy.xml

For SUSE Linux Enterprise 11, with ImageMagick, the respective coders were moved from :

/usr/lib64/ImageMagick-6.4.3/modules-Q16/coders/  to 
/usr/lib64/ImageMagick-6.4.3/modules-Q16/coders/vulnerable

For SUSE Linux Enterprise SDK 11, with GraphicsMagick, the respective coders were moved from :

/usr/lib64/GraphicsMagick-1.2.5/modules-Q8/coders/   to 
/usr/lib64/GraphicsMagick-1.2.5/modules-Q8/coders/vulnerable

To re-enable these coders for ImageMagick and/or GraphicsMagick, it is possible to add the path

/usr/lib64/ImageMagick-6.4.3/modules-Q16/coders/vulnerable

to the
MAGICK_CODER_MODULE_PATH

environment variable. Alternative it is possible to manually move these coders back to the /coders/ directory.

Cause

Additional Information

SUSE is working on further hardening and confining the ghostscript conversion, especially in ImageMagick and GraphicsMagick, so the default disablement might be lifted in the future.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.