Page 1 of 1
Is 6.7.7-10 with only png parser vulnerable to exploits?
Posted: 2018-07-06T13:57:49-07:00
by mjmj
I'm running ImageMagick 6.7.7-10 on Ubuntu Trusty with only the png parser being used (jpeg being renamed to png, or png's)
Am I vulnerable to any known exploits? I can't easily upgrade from this version at this time.
Version: ImageMagick 6.7.7-10 2018-06-11 Q16
http://www.imagemagick.org
Copyright: Copyright (C) 1999-2012 ImageMagick Studio LLC
Features: OpenMP
Re: Is 6.7.7-10 with only png parser vulnerable to exploits?
Posted: 2018-07-06T14:22:05-07:00
by fmw42
Edit your policy.xml file to restrict anything you think is risky.
Re: Is 6.7.7-10 with only png parser vulnerable to exploits?
Posted: 2018-07-06T14:37:18-07:00
by mjmj
That's helpful thanks, we also accept jpeg but rename the suffix to png and use the png parser. Does that help avoid jpeg parser vulnerabilities? Or not really change anything.
I tried reading through cve issues but it's overwhelming and still not clear if this version is safe with png only parser. Thanks again.
Re: Is 6.7.7-10 with only png parser vulnerable to exploits?
Posted: 2018-07-06T14:46:26-07:00
by fmw42
I do not see how renaming your jpg images to png does anything but confuse other image readers. Presumably the image headers will tell the reader to avoid the suffix and use the actual type file. So they should still see it as JPG.
Your IM versions is ancient. But Linux distributions don't change version numbers when they add patches. So you last patch was 6/11/2018, so just a fe days ago.
Re: Is 6.7.7-10 with only png parser vulnerable to exploits?
Posted: 2018-07-06T14:56:35-07:00
by mjmj
Your IM versions is ancient. But Linux distributions don't change version numbers when they add patches. So you last patch was 6/11/2018, so just a fe days ago.
Good to know! That makes me feel much better since we build and update the base OS frequently. How can I see the latest patches that are being released and also verify my system as it installed? That will be good enough for me to buy time to upgrade our OS and IM versions.
Re: Is 6.7.7-10 with only png parser vulnerable to exploits?
Posted: 2018-07-06T15:37:48-07:00
by fmw42
Latest binaries are at
http://www.imagemagick.org/script/download.php
Latest sources are at
https://www.imagemagick.org/download/
But if you are using shared hosting, your provider does the patches whenever the Linux distributions change.
Patches are not always upgrading features, but should be upgrading security issues when they are fixed by the Imagemagick developers. You would have to inquire to the Linux managers.
Re: Is 6.7.7-10 with only png parser vulnerable to exploits?
Posted: 2018-07-09T12:49:54-07:00
by mjmj
Thanks fmw42, saved my day.