Trouble with batch conversion of .png to .pdf using convert

convert is a powerful command line tool to convert graphics. Its support for PDF is provided by Ghostscript. Because of a significant security hole in Ghostscript prior to version 9.24, use of convert on PDF files has been blocked as a stopgap. The issue has been fixed since Ghostscript version 9.24. While Ghostscript versions are updated to secure versions in all supported Ubuntu versions (at this time from Ubuntu 16.04 onwards), the usage restriction may still be in place.

The policy file is /etc/ImageMagick-6/policy.xml. You may edit that file as root user to change the policies.

Eliminating all usage restrictions

For desktop users not running a webserver, simply eliminating these restrictions might be good enough. To that aim, one may delete the file, but it is better practice to "move the file out" by renaming it. With this command, you are renaming the file. As a result, all policies are lifted, but you still can revert if needed:

sudo mv /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xmlout

To revert to the original situation, just rename back to the original name:

sudo mv /etc/ImageMagick-6/policy.xmlout /etc/ImageMagick-6/policy.xml

Be well aware that moving the policy file out decreases system security.

Eliminating only the restriction to combine into PDF

For your specific case, gene_wood in a comment pointed to the posibility to selectively relax the policy for working with PDF files by commenting out one line:

<policy domain="coder" rights="none" pattern="PDF" />

Edit the file, and place comment marks around this line to disable this rule:

<!-- <policy domain="coder" rights="none" pattern="PDF" /> -->

If you do not want to eliminate all security policies, this is the way to go.


As vanadium posted, you have to change the ImageMagick policy.

sudo vim /etc/ImageMagick-6/policy.xml

and replace the line

<policy domain="coder" rights="none" pattern="PDF" />

with

<policy domain="coder" rights="read|write" pattern="PDF" />

If you only want to allow write, and not read, you can also erase the read| part in the line above.


BTW, for those who are interested about the ImageMagick vulnerability, here are 2 informational links:

  • https://www.enisa.europa.eu/publications/info-notes/what2019s-behind-imagemagick-vulnerability
  • https://security.stackexchange.com/questions/122328/how-to-prevent-the-latest-imagemagick-vulnerability

Rather than re-loosening ImageMagick's security restrictions, I'd just use img2pdf.

It's specifically designed for this kind of use-case.

You should use img2pdf if your priorities are (in this order):

  • always lossless: the image embedded in the PDF will always have the exact same color information for every pixel as the input
  • small: if possible, the difference in filesize between the input image and the output PDF will only be the overhead of the PDF container itself
  • fast: if possible, the input image is just pasted into the PDF document as-is without any CPU hungry re-encoding of the pixel data

Conventional conversion software (like ImageMagick) would either:

  1. not be lossless because lossy re-encoding to JPEG
  2. not be small because using wasteful flate encoding of raw pixel data
  3. not be fast because input data gets re-encoded

Another advantage of not having to re-encode the input (in most common situations) is, that img2pdf is able to handle much larger input than other software, because the raw pixel data never has to be loaded into memory.

This should be the equivalent command:

img2pdf --out myfile.pdf /home/bill/TempScan/*.png 

If, for some reason, you can't do that (eg. can't install new packages), another potential avenue for lossless conversion would be to convert your images into a multi-page TIFF file and then use tiff2pdf from the libtiff tools.