Is 6.7.7-10 with only png parser vulnerable to exploits?

Questions and postings pertaining to the usage of ImageMagick regardless of the interface. This includes the command-line utilities, as well as the C and C++ APIs. Usage questions are like "How do I use ImageMagick to create drop shadows?".
Post Reply
mjmj
Posts: 9
Joined: 2018-07-05T11:50:44-07:00
Authentication code: 1152

Is 6.7.7-10 with only png parser vulnerable to exploits?

Post by mjmj » 2018-07-06T13:57:49-07:00

I'm running ImageMagick 6.7.7-10 on Ubuntu Trusty with only the png parser being used (jpeg being renamed to png, or png's)

Am I vulnerable to any known exploits? I can't easily upgrade from this version at this time.

Version: ImageMagick 6.7.7-10 2018-06-11 Q16 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2012 ImageMagick Studio LLC
Features: OpenMP

User avatar
fmw42
Posts: 24156
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Is 6.7.7-10 with only png parser vulnerable to exploits?

Post by fmw42 » 2018-07-06T14:22:05-07:00

Edit your policy.xml file to restrict anything you think is risky.

mjmj
Posts: 9
Joined: 2018-07-05T11:50:44-07:00
Authentication code: 1152

Re: Is 6.7.7-10 with only png parser vulnerable to exploits?

Post by mjmj » 2018-07-06T14:37:18-07:00

That's helpful thanks, we also accept jpeg but rename the suffix to png and use the png parser. Does that help avoid jpeg parser vulnerabilities? Or not really change anything.

I tried reading through cve issues but it's overwhelming and still not clear if this version is safe with png only parser. Thanks again.

User avatar
fmw42
Posts: 24156
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Is 6.7.7-10 with only png parser vulnerable to exploits?

Post by fmw42 » 2018-07-06T14:46:26-07:00

I do not see how renaming your jpg images to png does anything but confuse other image readers. Presumably the image headers will tell the reader to avoid the suffix and use the actual type file. So they should still see it as JPG.

Your IM versions is ancient. But Linux distributions don't change version numbers when they add patches. So you last patch was 6/11/2018, so just a fe days ago.

mjmj
Posts: 9
Joined: 2018-07-05T11:50:44-07:00
Authentication code: 1152

Re: Is 6.7.7-10 with only png parser vulnerable to exploits?

Post by mjmj » 2018-07-06T14:56:35-07:00

Your IM versions is ancient. But Linux distributions don't change version numbers when they add patches. So you last patch was 6/11/2018, so just a fe days ago.
Good to know! That makes me feel much better since we build and update the base OS frequently. How can I see the latest patches that are being released and also verify my system as it installed? That will be good enough for me to buy time to upgrade our OS and IM versions.

User avatar
fmw42
Posts: 24156
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Is 6.7.7-10 with only png parser vulnerable to exploits?

Post by fmw42 » 2018-07-06T15:37:48-07:00

Latest binaries are at http://www.imagemagick.org/script/download.php

Latest sources are at https://www.imagemagick.org/download/

But if you are using shared hosting, your provider does the patches whenever the Linux distributions change.

Patches are not always upgrading features, but should be upgrading security issues when they are fixed by the Imagemagick developers. You would have to inquire to the Linux managers.

mjmj
Posts: 9
Joined: 2018-07-05T11:50:44-07:00
Authentication code: 1152

Re: Is 6.7.7-10 with only png parser vulnerable to exploits?

Post by mjmj » 2018-07-09T12:49:54-07:00

Thanks fmw42, saved my day.

Post Reply