Page 1 of 1

ImageMagick Security Issue

Posted: 2016-05-03T04:29:00-07:00
by magick
We have recently received vulnerability reports for certain coders, they include possible remote code execution and ability to render files on the local system. The ImageMagick policy was developed many years ago to help prevent possible exploits and is discussed here: ... =4&t=26801. To prevent these possible exploits, simply add
  • <policy domain="coder" rights="none" pattern="EPHEMERAL" />
    <policy domain="coder" rights="none" pattern="HTTPS" />
    <policy domain="coder" rights="none" pattern="MVG" />
    <policy domain="coder" rights="none" pattern="MSL" />
    <policy domain="coder" rights="none" pattern="TEXT" />
    <policy domain="coder" rights="none" pattern="SHOW" />
    <policy domain="coder" rights="none" pattern="WIN" />
    <policy domain="coder" rights="none" pattern="PLT" />
to your policy.xml file. For HTTPS, you can also remove support by deleting it from the delegates.xml configuration file.

We have secured the delegates in ImageMagick 7.0.1-9 and 6.9.4-7 by sanitizing the parameters. This release also supports a new policy that prevents indirect reads:
  • <policy domain="path" rights="none" pattern="@*" />
Pipes are disabled by default unless the --enable-pipes option is given on the configure script command line.

In these releases, reading MVG and MSL scripts are explicit. For example, if your script is named my_graph.mvg, to render it, use a filename of mvg:my_graph.mvg. Text is also explict, e.g. text:myText.txt. We also no longer support the EPHEMERAL coder, previously an internal coder that could remove a file as ImageMagick exits.

You can verify your policies with this command:

Code: Select all

-> convert -list policy
Path: ImageMagick-7/policy.xml
  Policy: Resource
    name: time
    value: 120
  Policy: Resource
    name: throttle
    value: 0
  Policy: Resource
    name: thread
    value: 2
  Policy: Resource
    name: file
    value: 768
  Policy: Resource
    name: disk
    value: 1GiB
  Policy: Resource
    name: map
    value: 512MiB
  Policy: Resource
    name: memory
    value: 256MiB
  Policy: Resource
    name: area
    value: 128MB
  Policy: Resource
    name: height
    value: 8KP
  Policy: Resource
    name: width
    value: 8KP
  Policy: Resource
    name: temporary-path
    value: /tmp
  Policy: System
    name: precision
    value: 6
  Policy: Coder
    rights: None 
    pattern: MSL
  Policy: Coder
    rights: None 
    pattern: MVG
  Policy: Path
    rights: None 
    pattern: @*
  Policy: Path
    rights: None 
    pattern: |*

Path: [built-in]
  Policy: Undefined
    rights: None 
Do not post questions or comments here. This forum is for announcements only. Instead post to the Developers forum as separate posts for different types of issues or platform questions, etc. Don't tack onto an unrelated question. See viewtopic.php?f=4&t=29599, which is the very top-most post in this forum.