Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Post Reply
Syntaf
Posts: 2
Joined: 2018-05-29T16:03:12-07:00
Authentication code: 1152

Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?

Post by Syntaf »

As the title states. In reference to viewtopic.php?f=4&t=29588 , do I still need to apply a none right to the https coder?

I attempted to search around but found the versioning pretty confusing. Looks like it was only fixed in versions > 7 ? https://github.com/ImageMagick/ImageMag ... eLog#L1015
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?

Post by fmw42 »

What does

Code: Select all

convert -list policy
show.

And/or look at your policy.xml file and see what it show for HTTPS.
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?

Post by fmw42 »

Also see http://www.imagemagick.org/script/resources.php for a list of the locations of the policy.xml file. You can edit that if you need to disable HTTPS.
Syntaf
Posts: 2
Joined: 2018-05-29T16:03:12-07:00
Authentication code: 1152

Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?

Post by Syntaf »

We are currently denying access to https as the announcement post recommended, so it looks like

Code: Select all

<policymap>
  <!-- The following are consitered "Sane" defaults and can be tweaked -->
  <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
  <policy domain="resource" name="memory" value="256MiB"/>
  <policy domain="resource" name="map" value="512MiB"/>
  <policy domain="resource" name="width" value="8KP"/>
  <policy domain="resource" name="height" value="8KP"/>
  <policy domain="resource" name="area" value="128MB"/>
  <policy domain="resource" name="disk" value="1GiB"/>
  <policy domain="resource" name="file" value="768"/>
  <policy domain="resource" name="thread" value="2"/>
  <policy domain="resource" name="throttle" value="0"/>
  <policy domain="resource" name="time" value="300"/>
  <!-- The following is a workaround for CVE-2016-3714 -->
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
  <policy domain="path" rights="none" pattern="@*" />
</policymap>
However i've switched the https rights to read, and haven't been able to successful execute an exploit listed on https://imagetragick.com/ so far. I haven't tested them all yet, but it looks like things like MVG images are fixed (changing the name of an MVG and trying to identify it will give permission violations, and the shell character vulnerability does not seem to work either).
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?

Post by fmw42 »

I will let the IM developers respond from here. Where did you edit the policy.xml file? In which directory?
Post Reply