Page 3 of 3
Re: ImageMagick Security Issue
Posted: 2016-05-05T14:15:47-07:00
by frEEk
Looks like you have a syntax error in your policy file fmw42 (I'm guessing) since it isn't listing any actual policy statements. On CentOS 6 (i think) machines where I've applied the mitigation I get:
# convert -list policy
Path: [built-in]
Policy: Undefined
rights: None
Path: /usr/lib64/ImageMagick-6.7.8/config/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: URL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL
Re: ImageMagick Security Issue
Posted: 2016-05-05T14:21:32-07:00
by fmw42
I usually do:
Code: Select all
cat /usr/local/etc/ImageMagick-6/policy.xml
and get
...
<policymap>
<!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
<!-- <policy domain="resource" name="memory" value="2GiB"/> -->
<!-- <policy domain="resource" name="map" value="4GiB"/> -->
<!-- <policy domain="resource" name="width" value="10MP"/> -->
<!-- <policy domain="resource" name="height" value="10MP"/> -->
<!-- <policy domain="resource" name="area" value="1GB"/> -->
<!-- <policy domain="resource" name="disk" value="16EB"/> -->
<!-- <policy domain="resource" name="file" value="768"/> -->
<!-- <policy domain="resource" name="thread" value="4"/> -->
<!-- <policy domain="resource" name="throttle" value="0"/> -->
<!-- <policy domain="resource" name="time" value="3600"/> -->
<!-- <policy domain="system" name="precision" value="6"/> -->
<policy domain="cache" name="shared-secret" value="passphrase"/>
</policymap>
or
Resource limits:
Width: 214.7MP
Height: 214.7MP
Area: 4.295GP
Memory: 2GiB
Map: 4GiB
Disk: unlimited
File: 192
Thread: 2
Throttle: 0
Time: unlimited
Re: ImageMagick Security Issue
Posted: 2016-05-05T21:32:10-07:00
by ditto
@fmw42 , are you not going to apply the line:
<policy domain="path" rights="none" pattern="@*" />
to your policy.xml file? I was under impression that line was also needed even on the newest version of ImageMagick?
(Also, thanks for all the helpfull replies I got on page 2 in the thread.)
Re: ImageMagick Security Issue
Posted: 2016-05-05T22:02:51-07:00
by fmw42
I may. But I am not on a server, just my home computer. So I trust myself and need @filename for my usage. A few of my scripts may not work on servers who install such policy. But that is the user's decision to use those few of my scripts or not on those servers.