Search found 8 matches

by frEEk
2016-05-05T19:46:02-07:00
Forum: Developers
Topic: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
Replies: 23
Views: 30652

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

trav's mitigation worked for me with ImageMagick 6.2.
6.5 and 6.7 took the policy.xml mitigation.
6.0 does not appear to be susceptible to the MVG exploit per the test in the Redhat article above.

Obviously your mileage may vary, this is just my experience.

Thanks for the idea trav.
by frEEk
2016-05-05T14:15:47-07:00
Forum: Developers
Topic: ImageMagick Security Issue
Replies: 33
Views: 49684

Re: ImageMagick Security Issue

Looks like you have a syntax error in your policy file fmw42 (I'm guessing) since it isn't listing any actual policy statements. On CentOS 6 (i think) machines where I've applied the mitigation I get: # convert -list policy Path: [built-in] Policy: Undefined rights: None Path: /usr/lib64/ImageMagick...
by frEEk
2016-05-05T13:55:22-07:00
Forum: Developers
Topic: ImageMagick Security Issue
Replies: 33
Views: 49684

Re: ImageMagick Security Issue

# convert -version zsh: command not found: convert Sounds to me like you don't use imagemagick. Just because WP has files that mention IM, doesn't mean it is in use, just that it supports it. Your WP installation may use GD or some other image manipulation library. You may get some confirmation by ...
by frEEk
2016-05-05T13:52:50-07:00
Forum: Developers
Topic: ImageMagick Security Issue
Replies: 33
Views: 49684

Re: ImageMagick Security Issue

fmw42 wrote:I believe that he means

Code: Select all

convert -list resource
That may work too, but I did mean "policy" as it shows the results of the lines added to the policy file. I used it as a way to confirm the additions had been read correctly.
by frEEk
2016-05-05T08:47:37-07:00
Forum: Developers
Topic: ImageMagick Security Issue
Replies: 33
Views: 49684

Re: ImageMagick Security Issue

>Or do I need to apply the polycy mentioned above? As I read it, yes you need to do the update AND add that one policy line (as opposed to adding several policy lines with the unpatched version). >is the path /usr/local/etc/ImageMagick-6/policy.xml the correct place to edit the policy file? The path...
by frEEk
2016-05-04T23:31:04-07:00
Forum: Developers
Topic: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
Replies: 23
Views: 30652

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Even newer version (of CentOS at least) don't have policy.xml by default, you simply add the file to the config directory you discovered (that contains configure.xml). However, with 6.2 "convert -list policy" results in "convert: unrecognized list type `policy'." which suggests t...
by frEEk
2016-05-04T23:21:04-07:00
Forum: Developers
Topic: ImageMagick Security Issue
Replies: 33
Views: 49684

Re: ImageMagick Security Issue

I see my question is effectively the same as viewtopic.php?f=2&t=29614
by frEEk
2016-05-04T18:18:32-07:00
Forum: Developers
Topic: ImageMagick Security Issue
Replies: 33
Views: 49684

Re: ImageMagick Security Issue

What versions are affected by this? I have some legacy machines running 6.2.8 that don't understand "convert -list policy". Is it safe to assume they aren't vulnerable?