xmlimagemagickubuntu-16.04

override default ImageMagick policy.xml


I use ImageMagick on ubuntu-16.04 for converting pdf file into png image.

Recently, converting stop woking, because package imagemagick-common added <policy domain="coder" rights="none" pattern="PDF" /> to policy.xml file in /etc/ImageMagick-6/policy.xml

I don't want to change /etc/ImageMagick-6/policy.xml to enable PDF, because this file belongs to package and another update could rewrite this file again

$dpkg -S /etc/ImageMagick-6/policy.xml 
imagemagick-common: /etc/ImageMagick-6/policy.xml

I create configuration file in home directory

$ cat ~/.config/ImageMagick/policy.xml
<policymap>
    <policy domain="coder" rights="read|write" pattern="PDF" />
</policymap>

Seems, like this file was found and loaded:

$ identify -list policy
Path: /etc/ImageMagick-6/policy.xml
...
Policy: Coder
    rights: None 
    pattern: PDF
...
Path: /home/vasiliy/.config/ImageMagick/policy.xml
Policy: Coder
    rights: Read Write 
    pattern: PDF

But it doesn't help.

not authorized exception is raised.

How to force ImageMagic to prefer ~/.config/ImageMagick/policy.xml settings vs /etc/ImageMagick-6/policy.xml setting? Or can I use some other solution to allow PDF read|write ?


Solution

  • I've the same issue like you. By a security update ImageMagick now disallows PDF processing by default. The underlying vulnerability in ghostscript (https://www.kb.cert.org/vuls/id/332928) is already fixed but the default config is not yet changed back.

    I did some experiments with ~/.config/ImageMagick/policy.xml and found out that this config is actually used and working. BUT you can't allow things that are disabled globally. You can only add further restrictions to your users processes.

    So my suggestions:

    1. adjust the /etc/ImageMagick-6/policy.xml
    2. wait until the package maintainers decide to activate the feature again by default

    UPDATE:

    When using #1 you should make sure to not break your automatic updates. Maybe this will help you finding a solution: https://unix.stackexchange.com/questions/138751/unattended-upgrades-and-modified-configuration-files