ImageMagick security policy 'PDF' blocking conversion

Question

The Imagemagick security policy seems to be not allowing me perform this conversion from pdf to png. Converting other extensions seem to be working, just not from pdf. I haven't changed any of the imagemagick settings since I installed it... I am using Arch Linux, if the OS matters.

user@machine $ convert -density 300 -depth 8 -quality 90 input.pdf output.png
convert: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/408.
convert: no images defined `output.png' @ error/convert.c/ConvertImageCommand/3288.

Possible duplicate of [ImageMagick not authorized to convert PDF to an image](https://stackoverflow.com/questions/52861946/imagemagick-not-authorized-to-convert-pdf-to-an-image) — Raedwald, Nov 23 '18 at 12:11

score 447 · Accepted Answer · answered Nov 06 '18 at 21:20

447

Well, I added

  <policy domain="coder" rights="read | write" pattern="PDF" />

just before </policymap> in /etc/ImageMagick-7/policy.xml and that makes it work again, but not sure about the security implications of that.

answered Nov 06 '18 at 21:20

Stefan Seidel

5,440
2
16
18

6

I believe that the PDF policy was added due to a bug in Ghostscript, which I believe has now been fixed. So it you are using the current Ghostscript, then you should be fine giving this policy read|write rights. – fmw42 Nov 06 '18 at 21:43
50

I found the line `` and just uncommented it to make it work. – jakob-r Dec 07 '18 at 12:18
18

The security vulnerability that caused distributions to implement the policy is referenced here: https://www.kb.cert.org/vuls/id/332928/ – Jason Siefken Jan 08 '19 at 23:58
33

@jakob-r: I suppose you **commented it out**... ;-) – AstroFloyd Jan 14 '19 at 17:09
2

Make sure ghostscript is updated https://www.kb.cert.org/vuls/id/332928/ – ykay says Reinstate Monica Mar 05 '19 at 09:35
1

That doesn't do it for me on the current Arch. – Suuuehgi Nov 05 '19 at 18:01
@Suuuehgi see [soloturn's answer](https://stackoverflow.com/a/58438910/6770384). – Socowi Nov 21 '19 at 13:33
See https://stackoverflow.com/questions/52861946/imagemagick-not-authorized-to-convert-pdf-to-an-image/52863413#52863413 – fmw42 Feb 05 '20 at 17:28
The bug referenced by @ykaysaysReinstateMonica was *addressed in Ghostscript version 9.24* – qneill May 11 '20 at 22:18
Note: if you are trying to solve this problem for conversion from EPS, allowing `rights="read|write"` on `pattern="EPS"` will accomplish nothing if you don't do the same for `pattern="PS'`, or move the EPS line above the PS line. – kyle Jul 24 '20 at 15:57
On Ubuntu 20.04 (LTS), only ImageMagick 6 is available right now, but I have an up to date version of ghostscript. Can confirm this worked for me. – Matthew Sep 27 '20 at 23:09
I get a ghostscript error when I enable this read/write policy: `convert-im6.q16: FailedToExecuteCommand `'gs'` , anybody has a clue how to fix this? I'm using Image Magick 6.9.10-23 Q16 x86_64 20190101 on Ubuntu 20 – basZero Sep 28 '20 at 06:51

score 141 · Answer 2 · answered Jan 05 '19 at 21:46

141

As pointed out in some comments, you need to edit the policies of ImageMagick in /etc/ImageMagick-7/policy.xml. More particularly, in ArchLinux at the time of writing (05/01/2019) the following line is uncommented:

<policy domain="coder" rights="none" pattern="{PS,PS2,PS3,EPS,PDF,XPS}" />

Just wrap it between  to comment it, and pdf conversion should work again.

answered Jan 05 '19 at 21:46

Michele

1,556
1
5
4

1

make sure ghostscript is up to date https://www.kb.cert.org/vuls/id/332928/ – ykay says Reinstate Monica Mar 05 '19 at 09:35
16

What's the point of this functionality? To prevent users from making PDFs? – lmat - Reinstate Monica Mar 27 '19 at 01:22
16

Partially, yes. As ImageMagick is often used by websites to process uploaded files - and PDF is among one of the file formats which can basically contain any executable code - anyone with upload permissions could otherwise perform any task your web user has access to. Same if someone tricks you into personally converting a malicious PDF to any other format. – TwoD Apr 14 '19 at 10:37

tanius · Answer 3 · 2021-05-01T22:04:03.267

98

This issue is a workaround for a security vulnerability. The vulnerability has been addressed in Ghostscript 9.24 (source), so if you have that version or newer, you don't need the workaround anymore.

On Ubuntu 19.10 with ImageMagick 6, here's how you fix the issue by removing the workaround:

Make sure you have Ghostscript ≥9.24:
```
gs --version
```

If yes, just remove this whole following section from /etc/ImageMagick-6/policy.xml:

<!-- disable ghostscript format types -->
<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="PS2" />
<policy domain="coder" rights="none" pattern="PS3" />
<policy domain="coder" rights="none" pattern="EPS" />
<policy domain="coder" rights="none" pattern="PDF" />
<policy domain="coder" rights="none" pattern="XPS" />

edited May 01 '21 at 22:04

answered Dec 05 '19 at 10:36

tanius

7,190
2
36
45

Only fix that worked for me on Ubuntu 19.04 with gs 9.26. – ManuelTS Dec 20 '19 at 12:32
20

`sed -i '/disable ghostscript format types/,+6d' /etc/ImageMagick-6/policy.xml` worked fine for me. – Richard Kiefer Jul 02 '20 at 15:41
4

Worked for Ubuntu 20.04 – Alex K. Jul 09 '20 at 00:41
Does removing this not mean you just give it all the rights? Which can be dangerous? – Christophvh Aug 01 '20 at 13:54
1

@Christophvh: It means you give ImageMagick full rights back to process files with Ghostscript. This restores the file to what it was before the this temporary workaround had to be introduced for [a security issue](https://www.kb.cert.org/vuls/id/332928/) that has now been fixed. – tanius Aug 01 '20 at 14:51
This is a good answer with correct and easy explanation – Sayan Dey Mar 23 '21 at 05:38
Worked on Ubuntu 21.04 – Max N May 12 '21 at 16:32

score 41 · Answer 4 · edited Jan 27 '21 at 16:31

41

For me on Arch Linux, I had to comment this:

  <policy domain="delegate" rights="none" pattern="gs" />

edited Jan 27 '21 at 16:31

Matthias Braun

24,493
16
114
144

answered Oct 17 '19 at 18:41

soloturn

638
7
6

On my system, there was two policy.xml files : `/etc/ImageMagick-6/policy.xml` and `/etc/ImageMagick-7/policy.xml`. Take care to edit the right one! – SylvainB Jun 03 '20 at 09:38
hanks, true!! ``` lang-js > yay -F /etc/ImageMagick-7/policy.xml etc/ImageMagick-7/policy.xml is owned by extra/imagemagick 7.0.10.30-1 > yay -F /etc/ImageMagick-6/policy.xml etc/ImageMagick-6/policy.xml is owned by extra/libmagick6 6.9.11.30-1 > yay -Rs libmagick6 checking dependencies... error: failed to prepare transaction (could not satisfy dependencies) :: removing libmagick6 breaks dependency 'libmagick6' required by inkscape ``` – soloturn Dec 13 '20 at 00:55

score 34 · Answer 5 · answered Dec 07 '18 at 22:50

34

For me on my archlinux system the line was already uncommented. I had to replace "none" by "read | write " to make it work.

answered Dec 07 '18 at 22:50

butterfly

341
2
2

make sure ghostscript is up to date https://www.kb.cert.org/vuls/id/332928/ – ykay says Reinstate Monica Mar 05 '19 at 09:35
1

same. I am up to date btw. – yukashima huksay May 27 '19 at 04:25

score 16 · Answer 6 · answered Oct 10 '20 at 07:49

Works in Ubuntu 20.04

Add this line inside <policymap>

<policy domain="module" rights="read|write" pattern="{PS,PDF,XPS}" />

Comment these lines:

  <!--
  <policy domain="coder" rights="none" pattern="PS" />
  <policy domain="coder" rights="none" pattern="PS2" />
  <policy domain="coder" rights="none" pattern="PS3" />
  <policy domain="coder" rights="none" pattern="EPS" />
  <policy domain="coder" rights="none" pattern="PDF" />
  <policy domain="coder" rights="none" pattern="XPS" />
   -->

Adding `` wasn't needed for me – leezu Nov 13 '20 at 04:41 — leezu, Nov 13 '20 at 04:41

score 10 · Answer 7 · answered Oct 26 '19 at 08:24

10

On Ubuntu 19.10, I have done this in /etc/ImageMagick-6/policy.xml

uncomment this

<policy domain="module" rights="read | write" pattern="{PS,PDF,XPS}" />

and comment this

<!-- <policy domain="coder" rights="none" pattern="PDF" /> -->

After that, this command work without error

convert -thumbnail x300 -background white -alpha remove sample.pdf sample.png

answered Oct 26 '19 at 08:24

slc66

101
1
2

1

Ace. Thanx. Still good on 20.04 – shantiq May 03 '21 at 09:30

score 7 · Answer 8 · answered Feb 05 '20 at 09:32

7

I was experiencing this issue with nextcloud which would fail to create thumbnails for pdf files.

However, none of the suggested steps would solve the issue for me.

Eventually I found the reason: The accepted answer did work but I had to also restart php-fpm after editing the policy.xml file:

 sudo systemctl restart php7.2-fpm.service

answered Feb 05 '20 at 09:32

derwiwie

707
8
15

LOL. After hours trying almost every solution possible, this was the ultimate. In combination with @Stefan Seidel solution: – Luís Assunção Oct 19 '20 at 21:49
restarting php fpm was also needed for me – thindery Jan 13 '21 at 17:17
If you're using plesk the name of the service is plesk-php74-fpm – Tofandel Feb 02 '21 at 17:40

Paul Rougieux · Answer 9 · 2021-01-04T09:50:50.093

5

Alternatively you can use img2pdf to convert images to pdf. Install it on Debian or Ubuntu with:

sudo apt install img2pdf

Convert one or more images to pdf:

img2pdf img.jpg -o output.pdf

It uses a different mechanism than imagemagick to embed the image into the pdf. When possible Img2pdf embeds the image directly into the pdf, without decoding and recoding the image.

edited Jan 04 '21 at 09:50

answered Jan 04 '21 at 09:41

Paul Rougieux

7,937
1
49
82

1

the question is about converting from pdf to png, how img2pdf can be used for this? – Valerio Jan 15 '21 at 16:54
@Valerio, img2pdf cannot be used in that way. I vaguely remember that img2pdf was missing from a question and answer thread. It seems like I answered the wrong question. – Paul Rougieux Feb 17 '21 at 11:12

score 4 · Answer 10 · answered Feb 19 '21 at 06:18

Adding to Stefan Seidel's answer.

Well, at least in Ubuntu 20.04.2 LTS or maybe in other versions you can't really edit the policy.xml file directly in a GUI way. Here is a terminal way to edit it.

Open the policy.xml file in terminal by entering this command -

sudo nano /etc/ImageMagick-6/policy.xml
Now, directly edit the file in terminal, find <policy domain="coder" rights="none" pattern="PDF" /> and replace none with read|write as shown in the picture. Then press Ctrl+X to exit.

score 4 · Answer 11 · answered Apr 12 '21 at 21:58

The ImageMagick change was kept after Ghostscript was fixed because applications (especially web applications) often feed arbitrary user-supplied files to ImageMagick, don't always enforce format restrictions properly, and, since Postscript (which PDF uses) is a turing-complete programming language running in a sandbox, there's always the possibility of another hole in the sandbox.

It's much better to leave things configured so ImageMagick refuses to process files that require running a program and, instead, just invoke Ghostscript directly when you intentionally want to permit Postscript rendering.

That would be accomplished by a Ghostscript command like this:

gs -dSAFER -r600 -sDEVICE=pngalpha -o foo.png myfile.pdf

Yes, this is a variation on the GhostScript command ImageMagic calls. (see ImageMagick's delegates.xml. -o is shorthand for -dBATCH -dNOPAUSE -sOutputFile=)

What's important is that ImageMagick stays locked down, you don't needlessly invoke an intermediate program, and you get more control over the rendering parameters. (eg. -r600 is the DPI to render at and changing -sDEVICE=pngalpha allows you to render directly to your desired format)

score 1 · Answer 12 · answered Apr 23 '21 at 19:12

1

Manjaro April 2021

Just remove uncommented line inside <policymap> in /etc/ImageMagick-7/policy.xml

answered Apr 23 '21 at 19:12

user1330614

422
3
7

ImageMagick security policy 'PDF' blocking conversion

12 Answers12

Linked