SUSE Support

Here When You Need Us

Ghostscript security issues and hardening ImageMagick and GraphicsMagick

This document (7023657) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11

Situation

Researchers have discovered various security issues in the ghostscript PostScript interpreter, which could lead to crashes or even code execution. The known issues have been fixed in ghostscript releases 9.25 and 9.26 respectively. However, due to the complexity of the language and the interpreter codebase, it is very likely that more security issues will surface.

The ghostscript interpreter is used by ImageMagick and GraphicsMagick to convert Postscript and similar formats into images.

As both ImageMagick and GraphicsMagick are commonly used in data processing pipelines that process untrusted input, the risk of exploitation was, and still is, high.

This affects all customers processing PostScript files using ImageMagick or GraphicsMagick.

Resolution

Due to the above risks, SUSE has decided to temporary disable the ghostscript using decoders by default, either by using the policy.xml config file, or by moving away the coders.

Re-enabling disabled codecs :

To re-enable the codecs on SUSE Linux Enterprise 12 and 15, adjust the following lines to use "readwrite" instead of "write":

<policy domain="coder" rights="write" pattern="PS" />
<policy domain="coder" rights="write" pattern="PS2" />
<policy domain="coder" rights="write" pattern="PS3" />
<policy domain="coder" rights="write" pattern="PDF" />
<policy domain="coder" rights="write" pattern="XPS" />
<policy domain="coder" rights="write" pattern="EPS" />

In the following files :
  • for SUSE Linux Enterprise 15: 
/etc/ImageMagick-7_Q16HDRI6/policy.xml
  • for SUSE Linux Enterprise 12: 
/etc/ImageMagick-6/policy.xml

For SUSE Linux Enterprise 11, with ImageMagick, the respective coders were moved from :

/usr/lib64/ImageMagick-6.4.3/modules-Q16/coders/  to 
/usr/lib64/ImageMagick-6.4.3/modules-Q16/coders/vulnerable

For SUSE Linux Enterprise SDK 11, with GraphicsMagick, the respective coders were moved from :

/usr/lib64/GraphicsMagick-1.2.5/modules-Q8/coders/   to 
/usr/lib64/GraphicsMagick-1.2.5/modules-Q8/coders/vulnerable

To re-enable these coders for ImageMagick and/or GraphicsMagick, it is possible to add the path

/usr/lib64/ImageMagick-6.4.3/modules-Q16/coders/vulnerable

to the
MAGICK_CODER_MODULE_PATH

environment variable. Alternative it is possible to manually move these coders back to the /coders/ directory.

Cause

Additional Information

SUSE is working on further hardening and confining the ghostscript conversion, especially in ImageMagick and GraphicsMagick, so the default disablement might be lifted in the future.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7023657
  • Creation Date: 21-Jan-2019
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.