351

I want to create a captcha pic by use convert from ImageMagick.

And I follow this, but there are some problem .

Input In my linux shell:

convert -background white -fill black -font FreeSerif-Bold -pointsize 36 label:'adfgh' ./test.png

The Error is:

convert:not authorized adfgh @ error/constitute.c/ReadImage/453. convert:missing an image filename ./test.png @ error/convert.c/ConvertImageCommand/3015

My ImageMagick: Version:6.7.2-7 , I install it with yum install ImageMagick .

I'm clueless. Any advice please?

CKE
  • 1,533
  • 19
  • 18
  • 29
jianwei
  • 3,561
  • 3
  • 11
  • 4

11 Answers11

483

Note: the solution in this and other answers involves disabling safety measures that are there to fix arbitrary code execution vulnerabilities. See for instance this ghostscript-related and this ubuntu-related announcement. Only go forward with these solutions if the input to convert comes from a trusted source.

I use ImageMagick in php (v.7.1) to slice PDF file to images.

First I got errors like:

Exception type: ImagickException

Exception message: not authorized ..... @ error/constitute.c/ReadImage/412

After some changes in /etc/ImageMagick-6/policy.xml I start getting erroes like:

Exception type: ImagickException

Exception message: unable to create temporary file ..... Permission denied @ error/pdf.c/ReadPDFImage/465

My fix:

In file /etc/ImageMagick-6/policy.xml (or /etc/ImageMagick/policy.xml)

  1. comment line

    <!-- <policy domain="coder" rights="none" pattern="MVG" /> -->

  2. change line

    <policy domain="coder" rights="none" pattern="PDF" />

    to

    <policy domain="coder" rights="read|write" pattern="PDF" />

  3. add line

    <policy domain="coder" rights="read|write" pattern="LABEL" />

Then restart your web server (nginx, apache).

Andras Deak -- Слава Україні
  • 33,737
  • 11
  • 83
  • 111
sNICkerssss
  • 6,312
  • 1
  • 24
  • 16
  • 54
    This should be the acceptable answer if you experienced this problem on an Ubuntu box since Oct 4 2018. Any other issues from other distros? – LucasBr Oct 05 '18 at 16:00
  • 13
    I am also just getting this problem just today on Ubuntu 16.04. Did something change? Also I didn't need to add the LABEL line, just change the rights for PDF from "none" to "read". – Bryant Kou Oct 05 '18 at 21:06
  • 5
    Solves a very similar problem in my Ubuntu 18.04.1 LTS box – mhernandez Oct 05 '18 at 23:41
  • 3
    In my server, the `policy.xml` file last updated on Sept 29, but the problems just arise today. I'm using ubuntu server 14.04.5, but set auto update. In apt log, I found about this update: `imagemagick-common:amd64 (6.7.7.10-6ubuntu3.12, 6.7.7.10-6ubuntu3.13),` – Donny Kurnia Oct 08 '18 at 04:27
  • 12
    here is the related changelog: https://launchpad.net/ubuntu/+source/imagemagick/8:6.7.7.10-6ubuntu3.13 – Donny Kurnia Oct 08 '18 at 04:41
  • Proven solution on Laravel Forge env, if your spatie pdf got into error "ImagickException: not authorized" then this is a solution – Jasonfish Oct 08 '18 at 08:34
  • 4
    Dont't forget to restart php-fpm as well `sudo systemctl restart php7.2-fpm` or whatever version you have – dinbrca Oct 09 '18 at 14:05
  • 3
    It worked for me. But I've checked CVE-2016-3714 answer from @Nikolay Ivanov so I left the "MVG" comment out of my config and still it worked, since I'm using Imagick only for PDF conversion. – Renzo Oct 10 '18 at 14:06
  • Can someone explain what domain="coder" relates to? I made the above changes and this gets the issue fixed when a user is loading an image for conversion. My site is running on Laravel forge and I am using a Redis queue to complete image conversions. With this setup then the only way to get it working is to comment out/remove the PDF/LABEL lines. I assume this is because this is then being run by a system level user. Can domain="??" be set to work for cron/system users? – Adam Lambert Oct 15 '18 at 17:18
  • My problem is that this policy file can only be edited by the superuser. Is there any way to control policy locally? Something like `~/.imagemagick/policy.xml` – nightcod3r Oct 23 '18 at 04:54
  • 3
    For command line usage, e.g. `convert 1.png 2.png out.pdf`, the only change you need is ``. – davidA Oct 24 '18 at 11:05
  • 2
    On ubuntu 18.04 I only comment the lines under the line: `` and work. – bl4ckb1rd Oct 26 '18 at 14:23
  • This fixed the issue for me in Linux Mint 18.3. – jmd_dk Nov 05 '18 at 22:09
  • Don't do this. This restriction has been introduced as a security measure because of possible remote code execution (see https://launchpad.net/ubuntu/+source/imagemagick/8:6.7.7.10-6ubuntu3.13). So the correct answer is: You should use another program for this task. – Marian Jan 24 '19 at 18:01
  • Make sure to update ghostscript https://www.kb.cert.org/vuls/id/332928/ – ykay says Reinstate Monica Mar 05 '19 at 09:37
  • You don't need to restart your webserver - ImageMagick is a separate service. – KolonUK Mar 22 '19 at 15:03
  • The most important thing is: Are the new safety measures introduced in the ImageMagick package permanent or is it just a hotfix and a proper solution that will both fix the security issue and not crash current third-party scripts is planned to be implemented later? I am asking because I installed the newest version of ImageMagick 7 and I *think* that my scripts no longer crash again without fixing anything in the policy file. – Jeyekomon Jul 15 '19 at 20:56
  • @Marian thanks for reminding the security issues. But what's the point of distributing a software that does not work? It is for the case when users will assume the security. Not everyone manage a server exposed to attacks. I run convert in a sandboxed VM behind a firewall, for converting eps to some word compatible format. That's one of the most difficult to maintain software chain. Every soft I tried so far did rot. I'm very happy to find those answer and I WILL do this, definitely! – aka.nice Feb 18 '21 at 23:40
179

I use many times the ImageMagic convert command to convert *.tif files to *.pdf files.

I don't know why but today I began to receive the following error:

convert: not authorized `a.pdf' @ error/constitute.c/WriteImage/1028.

After issuing the command:

convert a.tif a.pdf

After reading the above answers I edited the file /etc/ImageMagick-6/policy.xml

and changed the line:

policy domain="coder" rights="none" pattern="PDF"

to

policy domain="coder" rights="read|write" pattern="PDF"

and now everything works fine.

I have "ImageMagick 6.8.9-9 Q16 x86_64 2018-09-28" on "Ubuntu 16.04.5 LTS".

karlsebal
  • 1,449
  • 17
  • 23
Lv2eof
  • 1,949
  • 1
  • 11
  • 9
  • 1
    I'm on openSuse Leap 15.0 and used "compare" to compare PDF pages, same error, _even_ after an update by openSuse on October 10th 2018. After changing the line as described here, it worked. – Keks Dose Oct 11 '18 at 07:22
  • I'm on Ubuntu Xenial 16.04 LTS and suddenly I started to see that error in Apache logs. I confirm that after changing the policy as described here the problem was solved. – user2641103 Oct 16 '18 at 13:15
  • 6
    This is the minimal correct answer - sNICkerssss's answer is technically correct however only one step is needed for command-line usage of `convert` to PDF. – davidA Oct 24 '18 at 11:07
  • 1
    This 'problem' is quick&dirty 'fix' to Ghostscript functionality, in long term we should find replacement for Ghostscript (and likely ImageMagick). – 9ilsdx 9rvj 0lo Oct 29 '18 at 15:29
  • 5
    Don't do this. This restriction has been introduced as a security measure because of possible remote code execution (see https://launchpad.net/ubuntu/+source/imagemagick/8:6.7.7.10-6ubuntu3.13). So the correct answer is: You should use another program for this task. – Marian Jan 24 '19 at 18:08
  • Make sure to update ghostscript https://www.kb.cert.org/vuls/id/332928/ – ykay says Reinstate Monica Mar 05 '19 at 09:38
71

Note: this solution and any other "edit the policy.xml" solution disables safety measures against arbitrary code execution vulnerabilities in ImageMagick. If you need to process input that you do not control 100%, you should use a different program (not ImageMagick).

If you're still here, you are trying to edit images that you have complete control over, know are safe, and cannot be edited by users.

There is an /etc/ImageMagick/policy.xml file that is installed by yum. It disallows almost everything (for security and to protect your system from getting overloaded with ImageMagick calls).

If you're getting a ReadImage error as above, you can change the line to:

<policy domain="coder" rights="read" pattern="LABEL" />

which should fix the issue.

The file has a bunch of documentation in it, so you should read that. For example, if you need more permissions, you can combine them like:

<policy domain="coder" rights="read|write" pattern="LABEL" />

...which is preferable to removing all permissions checks (i.e., deleting or commenting out the line).

kris
  • 23,024
  • 10
  • 70
  • 79
  • 2
    Don't do this. This restriction has been introduced as a security measure because of possible remote code execution (see https://launchpad.net/ubuntu/+source/imagemagick/8:6.7.7.10-6ubuntu3.13). So the correct answer is: You should use another program for this task. – Marian Jan 24 '19 at 18:08
  • Make sure to update ghostscript https://www.kb.cert.org/vuls/id/332928/ – ykay says Reinstate Monica Mar 05 '19 at 09:38
  • 7
    @Marian Using another program is not helpful - the OP asked specifically about ImageMagick. The response should be "You should know what you are doing, do it at your own risk, make sure you system is secure, here is why you shouldn't, and here is how to do it". – KolonUK Mar 22 '19 at 15:01
  • 4
    The OP (and people getting here by web search, including me) have been using ImageMagick until now; so of course, their first try in solving this issue is finding a solution using ImageMagick, because that requires the least amount of changes. That doesn't mean they unconditionally want to use ImageMagick. – Marian Mar 22 '19 at 16:11
  • 4
    I find this dismissive approach to security very inappropriate for a Q&A site seen by thousands (this page has been viewed 100k times and is the top search result for this problem) — and let's be clear here, there was a large and vocal attempt to stress the importance of this vulnerability, including a dedicated site set up to publicise it (https://imagetragick.com/) — Marian's suggestion that alternatives should be sought rather than security bypassed is valid. I chose to use GIMP instead. `poppler` is an alternative to GhostScript (which `convert` relies on to rasterize PDF pages to images) – Louis Maddox Oct 31 '19 at 17:02
  • 1
    Isn't there a command line option to disable the security policy temporarily? Then we could use it for specific PDF files that we trust. – HRJ May 12 '20 at 16:24
30

If someone need to do it with one command after install, run this !

sed -i 's/<policy domain="coder" rights="none" pattern="PDF" \/>/<policy domain="coder" rights="read|write" pattern="PDF" \/>/g' /etc/ImageMagick-6/policy.xml
Armen
  • 4,064
  • 2
  • 23
  • 40
26

Just delete /etc/ImageMagick/policy.xml file. E.g.

rm /etc/<ImageMagick_PATH>/policy.xml

For ImageMagick 6, it's:

sudo rm /etc/ImageMagick-6/policy.xml
kenorb
  • 155,785
  • 88
  • 678
  • 743
Jarda Pavlíček
  • 1,636
  • 17
  • 16
25

The answer with highest votes (I have not enough reputation to add comment there) suggests to comment out the MVG line, but have in mind this:

CVE-2016-3714

ImageMagick supports ".svg/.mvg" files which means that attackers can craft code in a scripting language, e.g. MSL (Magick Scripting Language) and MVG (Magick Vector Graphics), upload it to a server disguised as an image file and force the software to run malicious commands on the server side as described above. For example adding the following commands in a file and uploading it to a webserver that uses a vulnerable ImageMagick version will result in running the command "ls -la" on the server.

exploit.jpg:

push graphic-context viewbox 0 0 640 480 fill 'url(https://website.com/image.png"|ls "-la)' pop graphic-context

And

Any version below 7.0.1-2 or 6.9.4-0 is potentially vulnerable and affected parties should as soon as possible upgrade to the latest ImageMagick version.

Source

Nikolay Ivanov
  • 421
  • 4
  • 12
  • 3
    I didn't comment out MVG and PDF -> JPG conversion still works. Thank you. – Rimu Atkinson Oct 10 '18 at 04:08
  • 1
    6.7.7-10 *looks* like the newest version, released 9/28/2018). What am I missing? ```$convert --version Version: ImageMagick 6.7.7-10 2018-09-28 Q16 http://www.imagemagick.org``` – HaPsantran Oct 10 '18 at 21:36
  • there is newer version http://www.imagemagick.org/script/download.php Probably your Linux distribution uses older one. Ubuntu 16.04 currently uses 6.8.9-9 – Nikolay Ivanov Oct 11 '18 at 09:11
  • 1
    Nice, so the proper solution for Ubuntu team would be to update imagemagick to newer version, not to break the existing one. – 9ilsdx 9rvj 0lo Oct 29 '18 at 13:37
  • 2
    No. Ubuntu is a feature-freeze distribution and will not ship upstream newer releases. – Buo-ren Lin Feb 15 '19 at 06:20
  • make sure to update ghostscript https://www.kb.cert.org/vuls/id/332928/ – ykay says Reinstate Monica Mar 05 '19 at 09:41
  • RHEL is also feature-freeze, but bear in mind they're explicitly _not_ "security-freeze"; i.e. security vulnerabilities are backported from big-numbered versions. That means the OP is probably safe. Let's check! https://access.redhat.com/security/vulnerabilities/ImageTragick - Indeed. https://access.redhat.com/errata/RHSA-2016:0726 So go ahead and change your policy.xml file. – Rich Jun 17 '20 at 20:36
  • Addendum: on RHEL6, check programmatically with `r=$(rpm -q ImageMagick --qf '%{release}') && [[ ${r%.*} -gt 4 ]]` – Rich Jun 17 '20 at 20:43
19

After a recent update on my Ubuntu 16.04 system I have also started getting this error when trying to run convert on .ps files to convert them into pdfs.

This fix worked for me:

In a terminal run:

sudo gedit /etc/ImageMagick-6/policy.xml

This should open the policy.xml file in the gedit text editor. If it doesn't, your image magick might be installed in a different place. Then change 

rights="none"

to 

rights="read | write"

for PDF, EPS and PS lines near the bottom of the file. Save and exit, and image magick should then work again.

Dr. Murray Hoggett
  • 233
  • 3
  • 8
5

I had this error when trying to convert a pdf to jpg and solved it using this method: sudo vi /etc/ImageMagick*/policy.xml

change:

policy domain="coder" rights="none" pattern="PDF"

to:

policy domain="coder" rights="read|write" pattern="PDF"

Source: http://realtechtalk.com/ImageMagick_Convert_PDF_Not_Authorized-2217-articles

Areeb Soo Yasir
  • 598
  • 7
  • 8
4

If you don't need to handle raster files and PDF/PS/EPS through the same tool, don't loosen ImageMagick's security.

Instead, keep your defense in depth for your web applications intact, check that your Ghostscript has been patched for all known -dSAFER vulnerabilities and then invoke it directly.

gs -dSAFER -r300 -sDEVICE=png16m -o document-%03d.png document.pdf
  • -dSAFER opts you out of the legacy-compatibility "run Postscript will full permission to interact with the outside world as a turing-complete programming language" mode.
  • -r300 sets the desired DPI to 300 (the default is 72)
  • -sDEVICE specifies the output format (See the Devices section of the manual for other choices.)
  • -o is a shorthand for -dBATCH -dNOPAUSE -sOutputFile=
  • This section of the Ghostscript manual gives some example formats for for multi-file filename output but, for the actual syntax definition, it points you at the documentation for the C printf(3) function.

If you're rendering EPS files, add -dEPSCrop so it won't pad your output to page size and use -sDEVICE=pngalpha to get transparent backgrounds.

ssokolow
  • 14,938
  • 7
  • 52
  • 57
  • Thanks for a safer solution. Not sure I'll ever be able to remember the GhostScript command line options, though! :) – Cris Luengo May 28 '20 at 20:49
  • @CrisLuengo I won't either. That's why I posted it to as many Google results as I could find where it was a good answer to the question posed. :P – ssokolow May 29 '20 at 21:05
  • 1
    I found good results using `-r600 -dDownScaleFactor=4` to create a file with a 150 dpi but better anti-aliasing. – John Cole Jun 01 '20 at 02:20
3

After reading several suggestions here and combining the ideas, for me following changes in /etc/ImageMagick-6/policy.xml were necessary:

<policy domain="coder" rights="read|write" pattern="PDF" />

... rights="none" did not help. ...pattern="LABEL" was not neccessary. Although I do not work with big png files (only ~1 Mb) some changes in memory limits were also necessary:

<policy domain="resource" name="memory" value="2GiB"/>

(instead of 256Mib), and

<policy domain="resource" name="area" value="2GB"/>

(instead of 128 MB)

Kristjan Adojaan
  • 527
  • 7
  • 10
1

I also had the error error/constitute.c/ReadImage/453 when trying to convert an eps to a gif with image magick. I tried the solution proposed by sNICkerssss but still had errors (though different from the first one)e error/constitute.c/ReadImage/412 What solved the problem was to put read to other entries

 <policy domain="coder" rights="read" pattern="PS" />
 <policy domain="coder" rights="read" pattern="EPS" />
 <policy domain="coder" rights="read" pattern="PDF" />
 <policy domain="coder" rights="read" pattern="XPS" />
 <policy domain="coder" rights="read|write" pattern="LABEL" />
lambertmular
  • 107
  • 1
  • 8
  • 1
    This does not really answer the question. If you have a different question, you can ask it by clicking [Ask Question](https://stackoverflow.com/questions/ask). You can also [add a bounty](https://stackoverflow.com/help/privileges/set-bounties) to draw more attention to this question once you have enough [reputation](https://stackoverflow.com/help/whats-reputation). - [From Review](/review/low-quality-posts/21070171) – Rence Oct 08 '18 at 13:58
  • Thanks for the suggestion. I edited my answer in the meantime. Anyway I really felt it should have been a comment on sNICkerssss answer, but since I cannot add it is the best way I figured out – lambertmular Oct 08 '18 at 14:04
  • @Sirence it is an answer, thought poor because it copies from other answers. – 9ilsdx 9rvj 0lo Oct 29 '18 at 15:30
  • @9ilsdx9rvj0lo my comment was from before the edit. https://stackoverflow.com/posts/52700739/revisions – Rence Oct 31 '18 at 08:19