ImageMagick Security Issue

Questions and postings pertaining to the development of ImageMagick, feature enhancements, and ImageMagick internals. ImageMagick source code and algorithms are discussed here. Usage questions which are too arcane for the normal user list should also be posted here.
frEEk
Posts: 8
Joined: 2016-05-04T18:14:10-07:00
Authentication code: 1151

Re: ImageMagick Security Issue

Post by frEEk » 2016-05-05T14:15:47-07:00

Looks like you have a syntax error in your policy file fmw42 (I'm guessing) since it isn't listing any actual policy statements. On CentOS 6 (i think) machines where I've applied the mitigation I get:
# convert -list policy

Path: [built-in]
Policy: Undefined
rights: None

Path: /usr/lib64/ImageMagick-6.7.8/config/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: URL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL

User avatar
fmw42
Posts: 21853
Joined: 2007-07-02T17:14:51-07:00
Location: Sunnyvale, California, USA

Re: ImageMagick Security Issue

Post by fmw42 » 2016-05-05T14:21:32-07:00

I usually do:

Code: Select all

cat /usr/local/etc/ImageMagick-6/policy.xml
and get

...
<policymap>
<!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
<!-- <policy domain="resource" name="memory" value="2GiB"/> -->
<!-- <policy domain="resource" name="map" value="4GiB"/> -->
<!-- <policy domain="resource" name="width" value="10MP"/> -->
<!-- <policy domain="resource" name="height" value="10MP"/> -->
<!-- <policy domain="resource" name="area" value="1GB"/> -->
<!-- <policy domain="resource" name="disk" value="16EB"/> -->
<!-- <policy domain="resource" name="file" value="768"/> -->
<!-- <policy domain="resource" name="thread" value="4"/> -->
<!-- <policy domain="resource" name="throttle" value="0"/> -->
<!-- <policy domain="resource" name="time" value="3600"/> -->
<!-- <policy domain="system" name="precision" value="6"/> -->
<policy domain="cache" name="shared-secret" value="passphrase"/>
</policymap>

or

Code: Select all

convert -list resource
Resource limits:
Width: 214.7MP
Height: 214.7MP
Area: 4.295GP
Memory: 2GiB
Map: 4GiB
Disk: unlimited
File: 192
Thread: 2
Throttle: 0
Time: unlimited

ditto
Posts: 25
Joined: 2012-10-12T10:23:43-07:00
Authentication code: 67789

Re: ImageMagick Security Issue

Post by ditto » 2016-05-05T21:32:10-07:00

@fmw42 , are you not going to apply the line:

<policy domain="path" rights="none" pattern="@*" />

to your policy.xml file? I was under impression that line was also needed even on the newest version of ImageMagick?

(Also, thanks for all the helpfull replies I got on page 2 in the thread.)

User avatar
fmw42
Posts: 21853
Joined: 2007-07-02T17:14:51-07:00
Location: Sunnyvale, California, USA

Re: ImageMagick Security Issue

Post by fmw42 » 2016-05-05T22:02:51-07:00

I may. But I am not on a server, just my home computer. So I trust myself and need @filename for my usage. A few of my scripts may not work on servers who install such policy. But that is the user's decision to use those few of my scripts or not on those servers.

Post Reply