trav's mitigation worked for me with ImageMagick 6.2.
6.5 and 6.7 took the policy.xml mitigation.
6.0 does not appear to be susceptible to the MVG exploit per the test in the Redhat article above.
Obviously your mileage may vary, this is just my experience.
Thanks for the idea trav.
Search found 8 matches
- 2016-05-05T19:46:02-07:00
- Forum: Developers
- Topic: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
- Replies: 23
- Views: 35774
- 2016-05-05T14:15:47-07:00
- Forum: Developers
- Topic: ImageMagick Security Issue
- Replies: 33
- Views: 62322
Re: ImageMagick Security Issue
Looks like you have a syntax error in your policy file fmw42 (I'm guessing) since it isn't listing any actual policy statements. On CentOS 6 (i think) machines where I've applied the mitigation I get: # convert -list policy Path: [built-in] Policy: Undefined rights: None Path: /usr/lib64/ImageMagick ...
- 2016-05-05T13:55:22-07:00
- Forum: Developers
- Topic: ImageMagick Security Issue
- Replies: 33
- Views: 62322
Re: ImageMagick Security Issue
# convert -version zsh: command not found: convert Sounds to me like you don't use imagemagick. Just because WP has files that mention IM, doesn't mean it is in use, just that it supports it. Your WP installation may use GD or some other image manipulation library. You may get some confirmation by ...
- 2016-05-05T13:52:50-07:00
- Forum: Developers
- Topic: ImageMagick Security Issue
- Replies: 33
- Views: 62322
Re: ImageMagick Security Issue
That may work too, but I did mean "policy" as it shows the results of the lines added to the policy file. I used it as a way to confirm the additions had been read correctly.fmw42 wrote:I believe that he meansCode: Select all
convert -list resource
- 2016-05-05T08:47:37-07:00
- Forum: Developers
- Topic: ImageMagick Security Issue
- Replies: 33
- Views: 62322
Re: ImageMagick Security Issue
>Or do I need to apply the polycy mentioned above? As I read it, yes you need to do the update AND add that one policy line (as opposed to adding several policy lines with the unpatched version). >is the path /usr/local/etc/ImageMagick-6/policy.xml the correct place to edit the policy file? The path ...
- 2016-05-04T23:31:04-07:00
- Forum: Developers
- Topic: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
- Replies: 23
- Views: 35774
Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
Even newer version (of CentOS at least) don't have policy.xml by default, you simply add the file to the config directory you discovered (that contains configure.xml). However, with 6.2 "convert -list policy" results in "convert: unrecognized list type `policy'." which suggests the policy file may ...
- 2016-05-04T23:21:04-07:00
- Forum: Developers
- Topic: ImageMagick Security Issue
- Replies: 33
- Views: 62322
Re: ImageMagick Security Issue
I see my question is effectively the same as viewtopic.php?f=2&t=29614
- 2016-05-04T18:18:32-07:00
- Forum: Developers
- Topic: ImageMagick Security Issue
- Replies: 33
- Views: 62322
Re: ImageMagick Security Issue
What versions are affected by this? I have some legacy machines running 6.2.8 that don't understand "convert -list policy". Is it safe to assume they aren't vulnerable?