Legacy ImageMagick Discussions Archive

Use https://github.com/ImageMagick/ImageMagick/discussions instead.
https://imagemagick.org/discourse-server/

Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?

https://imagemagick.org/discourse-server/viewtopic.php?t=34050

Page 1 of 1

Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?

Posted: 2018-05-29T16:06:11-07:00
by Syntaf
As the title states. In reference to viewtopic.php?f=4&t=29588 , do I still need to apply a none right to the https coder?

I attempted to search around but found the versioning pretty confusing. Looks like it was only fixed in versions > 7 ? https://github.com/ImageMagick/ImageMag ... eLog#L1015

Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?

Posted: 2018-05-29T16:30:49-07:00
by fmw42
What does

Code: Select all

convert -list policy
show.

And/or look at your policy.xml file and see what it show for HTTPS.

Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?

Posted: 2018-05-29T16:34:41-07:00
by fmw42
Also see http://www.imagemagick.org/script/resources.php for a list of the locations of the policy.xml file. You can edit that if you need to disable HTTPS.

Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?

Posted: 2018-05-29T16:36:09-07:00
by Syntaf
We are currently denying access to https as the announcement post recommended, so it looks like

Code: Select all

<policymap>
  <!-- The following are consitered "Sane" defaults and can be tweaked -->
  <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
  <policy domain="resource" name="memory" value="256MiB"/>
  <policy domain="resource" name="map" value="512MiB"/>
  <policy domain="resource" name="width" value="8KP"/>
  <policy domain="resource" name="height" value="8KP"/>
  <policy domain="resource" name="area" value="128MB"/>
  <policy domain="resource" name="disk" value="1GiB"/>
  <policy domain="resource" name="file" value="768"/>
  <policy domain="resource" name="thread" value="2"/>
  <policy domain="resource" name="throttle" value="0"/>
  <policy domain="resource" name="time" value="300"/>
  <!-- The following is a workaround for CVE-2016-3714 -->
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
  <policy domain="path" rights="none" pattern="@*" />
</policymap>
However i've switched the https rights to read, and haven't been able to successful execute an exploit listed on https://imagetragick.com/ so far. I haven't tested them all yet, but it looks like things like MVG images are fixed (changing the name of an MVG and trying to identify it will give permission violations, and the shell character vulnerability does not seem to work either).

Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?

Posted: 2018-05-29T16:49:05-07:00
by fmw42
I will let the IM developers respond from here. Where did you edit the policy.xml file? In which directory?
All times are UTC-07:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited