Page 1 of 2

Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Posted: 2016-05-04T18:08:15-07:00
by nakadoma
Is there a work around for RHEL5 they do not have a policy.xml in RHEL5 and what would be the repercussions of deinstalling imageMagick. There seems to be no information on making a work around for RHEL5. There is no policy.xml on RHEL5 instances.

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Posted: 2016-05-04T18:09:52-07:00
by fmw42
Thanks for posting a new topic. I have deleted your duplicate post tacked onto another topic.

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Posted: 2016-05-04T18:13:08-07:00
by nakadoma
Yeah I'm sorry about that. I apologize. Thanks.

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Posted: 2016-05-04T18:13:32-07:00
by fmw42
No problem.

Are you sure there is not a policy.xml file? RHEL5 is unix and I assume that all unix versions of IM will install a policy.xml file? Where is your IM installed in /usr or /opt or somewhere else.

On my Mac OSX (unix),

Code: Select all

find /usr | grep "policy.xml"
/usr/local/etc/ImageMagick-6/policy.xml
/usr/local/share/doc/ImageMagick-6/www/source/policy.xml


see http://www.imagemagick.org/script/resources.php for various locations

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Posted: 2016-05-04T18:24:07-07:00
by nakadoma
I thought the delegates.xml only works for ssl based on the other thread. So if I adjust delegates.xml will it provide the workaround for http and https? Or am I misunderstanding.

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Posted: 2016-05-04T18:26:42-07:00
by fmw42
The security issue regards policy.xml, not delegates.xml. I was thinking policy.xml, but accidentally wrote delegates.xml. Sorry, my mistake. I have corrected my post above.

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Posted: 2016-05-04T18:31:05-07:00
by fmw42
See my corrected post above.

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Posted: 2016-05-04T18:34:39-07:00
by nakadoma
There is no policy.xml in this instance.
I used find and scanned the entire FS.
[ /etc]# ls -la /usr/lib/ImageMagick-6.2.8/config/
total 236
drwxr-xr-x 2 root root 4096 Jun 25 2015 .
drwxr-xr-x 4 root root 4096 Apr 25 2012 ..
-rw-r--r-- 1 root root 63539 Apr 25 2012 colors.xml
-rw-r--r-- 1 root root 2931 Apr 25 2012 configure.xml
-rw-r--r-- 1 root root 7852 Apr 25 2012 delegates.xml
-rw-r--r-- 1 root root 51580 Apr 25 2012 english.xml
-rw-r--r-- 1 root root 2392 Apr 25 2012 locale.xml
-rw-r--r-- 1 root root 10998 Apr 25 2012 type-ghostscript.xml
-rw-r--r-- 1 root root 5868 Apr 25 2012 type-solaris.xml
-rw-r--r-- 1 root root 19195 Apr 25 2012 type-windows.xml
-rw-r--r-- 1 root root 737 Apr 25 2012 type.xml
[ /etc]#

[ /etc]# find / -name "policy.xml"
/usr/share/selinux/devel/policy.xml
There is no policy file for ImageMagick on the rhel 5 instances. Other are having that problem too.
https://access.redhat.com/security/vuln ... 1#comments

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Posted: 2016-05-04T18:51:46-07:00
by fmw42
I guess 6.2.8 was prior to the creation of policy.xml, unless it was accidentally deleted on your system. However, as I am not a developer, I will defer to the IM developers for a proper answer.

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Posted: 2016-05-04T18:57:49-07:00
by fmw42
I checked the oldest version for which I access, 6.3.7.9 and it does not have a policy.xml file. So policy.xml must be a more current addition to IM. So you will need to hear back from the IM developers regarding how to handle this issue.

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Posted: 2016-05-04T19:00:53-07:00
by nakadoma
This is true for all of our rhel5 boxes and other rhel 5 servers seem to be experiencing the same problem. For Developers do we need to try an update this package. Please see the link other people are experiencing this problem on rhel5. Its in the comments section. https://access.redhat.com/security/vuln ... 1#comments

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Posted: 2016-05-04T19:01:48-07:00
by nakadoma
Thanks fmw42. I will wait for their reply thanks.

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Posted: 2016-05-04T19:47:50-07:00
by fmw42
I think that if you upgrade to a version that has policy.xml, then you can add the extra policies to the file. Or better upgrade to the new 6.9.3.10 or IM 7.0.1.1 versions.

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Posted: 2016-05-04T23:31:04-07:00
by frEEk
Even newer version (of CentOS at least) don't have policy.xml by default, you simply add the file to the config directory you discovered (that contains configure.xml). However, with 6.2 "convert -list policy" results in "convert: unrecognized list type `policy'." which suggests the policy file may not do anything.

It is possible that 6.2 isn't affected by this CVE. The ARS article for example mentioned "recent versions of ImageMagick".

Will just have to wait for a developer to confirm what versions of IM are affected.

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Posted: 2016-05-04T23:35:47-07:00
by fmw42
I think the issue is with allowing MVG and MSL and https: files, not with the policy.xml. The policy.xml file is the way to block those files until you can upgrade to IM 6.9.3.10 or 7.0.0.1 where a patch has been added so that they all are trapped by the policy for @. Those are the file types that allow the vulnerability to enter with malicious code.

So my thought is 6.2.8 is vulnerable and has no way to trap out those files without a policy.xml file. My guess is that 6.2.8 does not have code to recognize any policies.

But again, I will defer to the IM developers.