On Fri, Jul 16, 2021 at 09:02:44PM +0200, Martin Quinson wrote: > I'm sorry to ask, but I fear I need additional information, please. > It seems to me that this patch merely circumvent the change in > ImageMagik to allow the handling of eps file during the construction > of the package. Am I right, or is it only disabling the dangerous > parts of the converter while retrieving the parts we need? > > Sorry to ask, I'm very bad with ImageMagik. > > Even if it's re-enabling the conversion of eps files for the package > building, I guess that this is a good emergency solution to not delay > the release too much, provided that we trust the eps files that come > with ns-3. Thanks for the proposal.
You have to trust the EPS files in your package like everything else anyway. AIUI the restriction in /etc/ImageMagick-6/policy.xml exists as a stop-gap to keep people from accidentally running ImageMagick on untrusted input (e.g. shoddily-written CGI scripts that don't sanitize input correctly). Seccomp filters would be a better approach, but since ImageMagick has to also work under Windows that's unlikely to ever happen. If ImageMagick were too dangerous to use even on trusted input then shipping it at all wouldn't make any sense. > But I would prefer not to live with such a complex and even somewhat > dangerous patch in my package, so I'm curious about other solutions > that would allow to convert eps to png without ImageMagik. Maybe using > gimp and Script-Fu? pdftoppm from poppler-utils is another option. Ubuntu's version of sctk has a patch for that: https://patches.ubuntu.com/s/sctk/sctk_2.4.10-20151007-1312Z+dfsg2-3ubuntu1.patch (But I don't believe for a single second that that parser is any safer than what comes in ImageMagick.) Regards