Search

Ubuntu - Error while converting to PDF with Imagemagick

Contents[Hide]

dropcap ubuntu imagemagick

Few days back, an Ubuntu Xenial update has broken ImageMagisk ability to generate PDF and PostScript files. I realised it when my Nautilus PDF Generate script was not working anymore when dealing with conversion of multiple picture files to generate a single PDF document.

As image conversion was done using convert (from ImageMagick package), I checked convert behaviour when converting picture files to PDF. Here is the error message you get since last update :

Terminal
# convert 'image.jpg' 'image.pdf'
convert: not authorized 'image.pdf' @ error/constitute.c/WriteImage/1028.

After some googling, I realised that ImageMagisk has recently gone thru some serious security flaws. These security flaws are quite serious for Web servers using ImageMagick for picture conversion. As an answer, some PDF generation restrictions have been implemented in Ubuntu repository for ImageMagick dfault policy.xml configuration file.

As ImageMagick PDF conversion feature is quite useful on an Ubuntu workstation, this article explains how to get back PDF generation functionality for convert utility. It also explains how to make it update proof in case of apt system updates.

It has been tested under Ubuntu Xenial 16.04 LTS and Ubuntu Bionic 18.04 LTS.

If you just want to recover PDF generation without all the explainations, you can jump to last section which provides a complete installation script.

1. Solution

PDF and PostScript generation restriction has been implemented with few lines in /etc/ImageMagisk-6/policy.xml :

/etc/ImageMagisk-6/policy.xml
...
<!-- disable ghostscript format types -->
<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="EPS" />
<policy domain="coder" rights="none" pattern="PDF" />
<policy domain="coder" rights="none" pattern="XPS" />
...

You can check quite easily what restriction applies with identify utility :

Terminal
# identify -list policy
Path: /etc/ImageMagick-6/policy.xml
...
Policy: Coder
rights: None
pattern: PS
Policy: Coder
rights: None
pattern: EPS
Policy: Coder
rights: None
pattern: PDF
Policy: Coder
rights: None
pattern: XPS
...

Solution is quite simple : we just need to cancel these lines from ImageMagick configuration.

On ImageMagick site, we get some clear explainations on how to handle configuration files.

On simple and clean answer would be to create $HOME/.config/ImageMagisk/policy.xml and add these lines :

.config/ImageMagisk/policy.xml
...
<!-- disable ghostscript format types -->
<policy domain="coder" rights="read|write" pattern="PS" />
<policy domain="coder" rights="read|write" pattern="EPS" />
<policy domain="coder" rights="read|write" pattern="PDF" />
<policy domain="coder" rights="read|write" pattern="XPS" />
...

But it doesn't work ! It must be a bug from ImageMagick, as these lines are accepted and reported by identify, but conversion still fails.

So, only solution is to remove the culprit lines from original /etc/ImageMagisk-6/policy.xml

This is done with this simple /usr/local/bin/imagemagisk-enable-pdf script :

/usr/local/bin/imagemagick-enable-pdf
#!/bin/bash
# -------------------------------------------------------------------------------
#  Modify ImageMagick configuration file to allow PDF and PostScript generation
#
#  Revision history :
#    06/10/2018, V1.0 - Creation by N. Bernaerts
# -------------------------------------------------------------------------------

# initialisation
CONF_FILE="/etc/ImageMagick-6/policy.xml"

# if imagemagick configuration file exists
if [ -f "${CONF_FILE}" ]
then
  # remove culprit lines
  sudo sed -i '/disable ghostscript format types/d' "${CONF_FILE}"
  sudo sed -i '/\"PS\"/d' "${CONF_FILE}"
  sudo sed -i '/\"EPS\"/d' "${CONF_FILE}"
  sudo sed -i '/\"PDF\"/d' "${CONF_FILE}"
  sudo sed -i '/\"XPS\"/d' "${CONF_FILE}"

  # log and display
  logger "ImageMagick PDF and PostScript restriction removal"
  echo "ImageMagick PDF and PostScript restriction removal"
fi

1.1. Make modification update proof

When you update your Ubuntu packages, file /etc/ImageMagick-6/policy.xml may be updated. Then, you'll loose your configuration patch allowing PDF generation.

As apt provides some hook mechanism, it is possible to create a simple /etc/apt/apt.conf.d/99imagemagick-enable-pdf configuration file that will provide the hook to suppress PDF format restrictions in /etc/ImageMagick-6/policy.xml everytime a package is handled by dpkg (the low level package management software).

This way, /etc/ImageMagick-6/policy.xml will be re-patched after every update process. Any package update should then be patch proof.

/etc/apt/apt.conf.d/99imagemagick-enable-pdf
## This file is provided by imagemagick-allow-pdf
## to re-declare the patch after apt upgrade
 
# Verify ImageMagick PDF generation patch when dpkg has been executed (i.e. after apt upgrade)
DPkg::Post-Invoke { "/usr/local/bin/imagemagick-enable-pdf"; };

Here is what you get when you reinstall a package :

Terminal
# sudo apt-get --reinstall install imagemagick-common
...
Preparing to unpack .../imagemagick-common_8%3a6.8.9.9-7ubuntu5.13_all.deb ...
Unpacking imagemagick-common (8:6.8.9.9-7ubuntu5.13) over (8:6.8.9.9-7ubuntu5.13) ...
Setting up imagemagick-common (8:6.8.9.9-7ubuntu5.13) ...
ImageMagick PDF and PostScript restriction removal
#

1.2. Installation script

 A complete installation script is available from my GitHub repository.

This script handle every aspect of ImageMagick patch to re-activate PDF and PostScript conversion :

  1. download and install imagemagick-enable-pdf script
  2. run the script to patch current configuration
  3. download and install apt hook 99imagemagick-enable-pdf

You just need to download it and to run it once for your system to get back its PDF and GhostScript conversion feature.

Terminal
# wget https://raw.githubusercontent.com/NicolasBernaerts/ubuntu-scripts/master/image/imagemagisk-enable-pdf-install.sh
# chmod +x ./imagemagisk-enable-pdf-install.sh
# ./imagemagisk-enable-pdf-install.sh
# rm ./imagemagisk-enable-pdf-install.sh

Hope it helps.

Signature Technoblog

This article is published "as is", without any warranty that it will work for your specific need.
If you think this article needs some complement, or simply if you think it saved you lots of time & trouble,
just let me know at This email address is being protected from spambots. You need JavaScript enabled to view it.. Cheers !

icon linux icon debian icon apache icon mysql icon php icon piwik icon googleplus