Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#59778 - [libmagick] Apply workaround for Ghostscript RCE vuln

Attached to Project: Arch Linux
Opened by Tommy Schmitt (spinka) - Thursday, 23 August 2018, 16:25 GMT
Last edited by Antonio Rojas (arojas) - Monday, 22 October 2018, 15:51 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Andreas Radke (AndyRTR)
Antonio Rojas (arojas)
Levente Polyak (anthraxx)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No



Recently new batch of Ghostscript RCE bugs were disclosed in public:

There is no upstream patch for them and there are other 2 years old still unfixed:

The one thing that Arch can do is to add below line to '/etc/ImageMagick-7/policy.xml' which belongs to libmagick package:

<policy domain="coder" rights="none" pattern="{PS,PS2,PS3,EPS,PDF,XPS}" />

This is recommended action for all distros to do.

Steps to reproduce:
1. Install 'imagemagick' and 'ghostscript' packages.
2. Create shellexec.jpg with below content:
cat shellexec.jpeg
userdict /setpagedevice undef
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
mark /OutputFile (%pipe%id) currentdevice putdeviceprops

3. Execute 'convert shellexec.jpeg whatever.gif'
This task depends upon

Closed by  Antonio Rojas (arojas)
Monday, 22 October 2018, 15:51 GMT
Reason for closing:  Fixed
Additional comments about closing:  libmagick
Comment by Tommy Schmitt (spinka) - Saturday, 25 August 2018, 10:51 GMT
There are also public POC for evince thumbnailer which can be triggered automatically while entering folder with malicious file inside:
Comment by Tommy Schmitt (spinka) - Saturday, 25 August 2018, 12:44 GMT
POC for triggering this automatically by visiting webpage in chrome:
Comment by Tommy Schmitt (spinka) - Tuesday, 28 August 2018, 14:46 GMT
  • Field changed: Percent Complete (100% → 0%)
Unfortunately, the vulnerability list is still growing and for some of them there are no patch available, see

The solution proposed here will block all known and unknown exploits thus it's still recommended.

Can you re-open this with lower severity and maybe change to "General gripe"?
Comment by Eli Schwartz (eschwartz) - Tuesday, 28 August 2018, 14:47 GMT
Huh, my bad. Did not realize that  FS#59799  does not fix all known issues.
Comment by Tommy Schmitt (spinka) - Tuesday, 28 August 2018, 20:23 GMT Comment by Jensen McKenzie (your_doomsday) - Monday, 24 September 2018, 16:17 GMT
All known vulnerabilities are fixed in ghostscript 9.25 which is in Arch Linux repos for some time. The upstream bug is now closed . This can be closed as well.
Comment by Eli Schwartz (eschwartz) - Thursday, 18 October 2018, 14:36 GMT
So, we thought "hey, there's a round of vulnerabilities, but there's also patches so now we updated we don't need this workaround".

Except, no, not really. cf.  FS#60370 

We're just going to keep seeing more vulnerabilities, aren't we? I think this workaround is needed, the reactive approach is not working out.

EDIT: Well, it would help to assign the libmagick maintainer rather than the ghostscript maintainer. Suddenly things make sense. :o