Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
Is there a work around for RHEL5 they do not have a policy.xml in RHEL5 and what would be the repercussions of deinstalling imageMagick. There seems to be no information on making a work around for RHEL5. There is no policy.xml on RHEL5 instances.
- fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
Thanks for posting a new topic. I have deleted your duplicate post tacked onto another topic.
Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
Yeah I'm sorry about that. I apologize. Thanks.
- fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
No problem.
Are you sure there is not a policy.xml file? RHEL5 is unix and I assume that all unix versions of IM will install a policy.xml file? Where is your IM installed in /usr or /opt or somewhere else.
On my Mac OSX (unix),
/usr/local/etc/ImageMagick-6/policy.xml
/usr/local/share/doc/ImageMagick-6/www/source/policy.xml
see http://www.imagemagick.org/script/resources.php for various locations
Are you sure there is not a policy.xml file? RHEL5 is unix and I assume that all unix versions of IM will install a policy.xml file? Where is your IM installed in /usr or /opt or somewhere else.
On my Mac OSX (unix),
Code: Select all
find /usr | grep "policy.xml"
/usr/local/share/doc/ImageMagick-6/www/source/policy.xml
see http://www.imagemagick.org/script/resources.php for various locations
Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
I thought the delegates.xml only works for ssl based on the other thread. So if I adjust delegates.xml will it provide the workaround for http and https? Or am I misunderstanding.
- fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
The security issue regards policy.xml, not delegates.xml. I was thinking policy.xml, but accidentally wrote delegates.xml. Sorry, my mistake. I have corrected my post above.
- fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
See my corrected post above.
Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
There is no policy.xml in this instance.
I used find and scanned the entire FS.
[ /etc]# ls -la /usr/lib/ImageMagick-6.2.8/config/
total 236
drwxr-xr-x 2 root root 4096 Jun 25 2015 .
drwxr-xr-x 4 root root 4096 Apr 25 2012 ..
-rw-r--r-- 1 root root 63539 Apr 25 2012 colors.xml
-rw-r--r-- 1 root root 2931 Apr 25 2012 configure.xml
-rw-r--r-- 1 root root 7852 Apr 25 2012 delegates.xml
-rw-r--r-- 1 root root 51580 Apr 25 2012 english.xml
-rw-r--r-- 1 root root 2392 Apr 25 2012 locale.xml
-rw-r--r-- 1 root root 10998 Apr 25 2012 type-ghostscript.xml
-rw-r--r-- 1 root root 5868 Apr 25 2012 type-solaris.xml
-rw-r--r-- 1 root root 19195 Apr 25 2012 type-windows.xml
-rw-r--r-- 1 root root 737 Apr 25 2012 type.xml
[ /etc]#
[ /etc]# find / -name "policy.xml"
/usr/share/selinux/devel/policy.xml
There is no policy file for ImageMagick on the rhel 5 instances. Other are having that problem too.
https://access.redhat.com/security/vuln ... 1#comments
I used find and scanned the entire FS.
[ /etc]# ls -la /usr/lib/ImageMagick-6.2.8/config/
total 236
drwxr-xr-x 2 root root 4096 Jun 25 2015 .
drwxr-xr-x 4 root root 4096 Apr 25 2012 ..
-rw-r--r-- 1 root root 63539 Apr 25 2012 colors.xml
-rw-r--r-- 1 root root 2931 Apr 25 2012 configure.xml
-rw-r--r-- 1 root root 7852 Apr 25 2012 delegates.xml
-rw-r--r-- 1 root root 51580 Apr 25 2012 english.xml
-rw-r--r-- 1 root root 2392 Apr 25 2012 locale.xml
-rw-r--r-- 1 root root 10998 Apr 25 2012 type-ghostscript.xml
-rw-r--r-- 1 root root 5868 Apr 25 2012 type-solaris.xml
-rw-r--r-- 1 root root 19195 Apr 25 2012 type-windows.xml
-rw-r--r-- 1 root root 737 Apr 25 2012 type.xml
[ /etc]#
[ /etc]# find / -name "policy.xml"
/usr/share/selinux/devel/policy.xml
There is no policy file for ImageMagick on the rhel 5 instances. Other are having that problem too.
https://access.redhat.com/security/vuln ... 1#comments
- fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
I guess 6.2.8 was prior to the creation of policy.xml, unless it was accidentally deleted on your system. However, as I am not a developer, I will defer to the IM developers for a proper answer.
- fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
I checked the oldest version for which I access, 6.3.7.9 and it does not have a policy.xml file. So policy.xml must be a more current addition to IM. So you will need to hear back from the IM developers regarding how to handle this issue.
Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
This is true for all of our rhel5 boxes and other rhel 5 servers seem to be experiencing the same problem. For Developers do we need to try an update this package. Please see the link other people are experiencing this problem on rhel5. Its in the comments section. https://access.redhat.com/security/vuln ... 1#comments
Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
Thanks fmw42. I will wait for their reply thanks.
- fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
I think that if you upgrade to a version that has policy.xml, then you can add the extra policies to the file. Or better upgrade to the new 6.9.3.10 or IM 7.0.1.1 versions.
Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
Even newer version (of CentOS at least) don't have policy.xml by default, you simply add the file to the config directory you discovered (that contains configure.xml). However, with 6.2 "convert -list policy" results in "convert: unrecognized list type `policy'." which suggests the policy file may not do anything.
It is possible that 6.2 isn't affected by this CVE. The ARS article for example mentioned "recent versions of ImageMagick".
Will just have to wait for a developer to confirm what versions of IM are affected.
It is possible that 6.2 isn't affected by this CVE. The ARS article for example mentioned "recent versions of ImageMagick".
Will just have to wait for a developer to confirm what versions of IM are affected.
- fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability
I think the issue is with allowing MVG and MSL and https: files, not with the policy.xml. The policy.xml file is the way to block those files until you can upgrade to IM 6.9.3.10 or 7.0.0.1 where a patch has been added so that they all are trapped by the policy for @. Those are the file types that allow the vulnerability to enter with malicious code.
So my thought is 6.2.8 is vulnerable and has no way to trap out those files without a policy.xml file. My guess is that 6.2.8 does not have code to recognize any policies.
But again, I will defer to the IM developers.
So my thought is 6.2.8 is vulnerable and has no way to trap out those files without a policy.xml file. My guess is that 6.2.8 does not have code to recognize any policies.
But again, I will defer to the IM developers.