Hi,
I just read about the security issue in imagemagick. I'm using the imagemagick install on a local windows system, so not a webserver.
Am I affected by this issue too or is it only if you have imagemagick on a webserver install?
Thanks in advance for the information!
Kind regards
Steve
Imagemagick security issue local install
Re: Imagemagick security issue local install
Just a bit more info: I use Imagemagick to process files I receive from our customers, I download these from ftp to the local system and then process them with Imagemagick locally using the imagemagick dll. Is this setup also affected?
Re: Imagemagick security issue local install
The exploit is narrow in scope. You must allow direct access to the ImageMagick utilities or API to remote users and permit them to render MVG or MSL or specify unsanitized filenames and access the HTTPS coder.
Re: Imagemagick security issue local install
From what I understand, yes, you would be vulnerable if a customer created a malicious file which you then downloaded and processed, providing you haven't updated your policy.xml to block the vulnerable coders.
- fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Imagemagick security issue local install
My understanding is that (prior to 6.9.3-10 or 7.0.1-1) if you do not need to allow your users to use MVG (Magick Vector Files) for drawing, or MSL files (Magick Scripting Language) or download input images via https directly in your command lines (convert https://.../someimage ...), then add these policies to your policy.xml file. If your users need these features, then leave them out, but you are then susceptible to malicious user's attacks via these mechanisms. The Imagemagick Developers can correct me here, if I have misunderstood.
See MVG and MSL at
http://www.imagemagick.org/script/formats.php
http://www.imagemagick.org/script/magic ... aphics.php
http://www.imagemagick.org/Usage/draw/#reading
http://www.imagemagick.org/Usage/files/#read
http://www.imagemagick.org/Usage/basics/#arg_percent (regarding @filename)
See MVG and MSL at
http://www.imagemagick.org/script/formats.php
http://www.imagemagick.org/script/magic ... aphics.php
http://www.imagemagick.org/Usage/draw/#reading
http://www.imagemagick.org/Usage/files/#read
http://www.imagemagick.org/Usage/basics/#arg_percent (regarding @filename)
Re: Imagemagick security issue local install
If you need to use MVG or MSL, upgrade to ImageMagick 6.9.3-10 or 7.0.1-1 and include this in your policy.xml file:
- <policy domain="path" rights="none" pattern="@*" />