Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Questions and postings pertaining to the development of ImageMagick, feature enhancements, and ImageMagick internals. ImageMagick source code and algorithms are discussed here. Usage questions which are too arcane for the normal user list should also be posted here.
nakadoma
Posts: 8
Joined: 2016-05-04T17:14:08-07:00
Authentication code: 1151

Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Post by nakadoma »

Is there a work around for RHEL5 they do not have a policy.xml in RHEL5 and what would be the repercussions of deinstalling imageMagick. There seems to be no information on making a work around for RHEL5. There is no policy.xml on RHEL5 instances.
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Post by fmw42 »

Thanks for posting a new topic. I have deleted your duplicate post tacked onto another topic.
nakadoma
Posts: 8
Joined: 2016-05-04T17:14:08-07:00
Authentication code: 1151

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Post by nakadoma »

Yeah I'm sorry about that. I apologize. Thanks.
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Post by fmw42 »

No problem.

Are you sure there is not a policy.xml file? RHEL5 is unix and I assume that all unix versions of IM will install a policy.xml file? Where is your IM installed in /usr or /opt or somewhere else.

On my Mac OSX (unix),

Code: Select all

find /usr | grep "policy.xml"
/usr/local/etc/ImageMagick-6/policy.xml
/usr/local/share/doc/ImageMagick-6/www/source/policy.xml


see http://www.imagemagick.org/script/resources.php for various locations
nakadoma
Posts: 8
Joined: 2016-05-04T17:14:08-07:00
Authentication code: 1151

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Post by nakadoma »

I thought the delegates.xml only works for ssl based on the other thread. So if I adjust delegates.xml will it provide the workaround for http and https? Or am I misunderstanding.
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Post by fmw42 »

The security issue regards policy.xml, not delegates.xml. I was thinking policy.xml, but accidentally wrote delegates.xml. Sorry, my mistake. I have corrected my post above.
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Post by fmw42 »

See my corrected post above.
nakadoma
Posts: 8
Joined: 2016-05-04T17:14:08-07:00
Authentication code: 1151

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Post by nakadoma »

There is no policy.xml in this instance.
I used find and scanned the entire FS.
[ /etc]# ls -la /usr/lib/ImageMagick-6.2.8/config/
total 236
drwxr-xr-x 2 root root 4096 Jun 25 2015 .
drwxr-xr-x 4 root root 4096 Apr 25 2012 ..
-rw-r--r-- 1 root root 63539 Apr 25 2012 colors.xml
-rw-r--r-- 1 root root 2931 Apr 25 2012 configure.xml
-rw-r--r-- 1 root root 7852 Apr 25 2012 delegates.xml
-rw-r--r-- 1 root root 51580 Apr 25 2012 english.xml
-rw-r--r-- 1 root root 2392 Apr 25 2012 locale.xml
-rw-r--r-- 1 root root 10998 Apr 25 2012 type-ghostscript.xml
-rw-r--r-- 1 root root 5868 Apr 25 2012 type-solaris.xml
-rw-r--r-- 1 root root 19195 Apr 25 2012 type-windows.xml
-rw-r--r-- 1 root root 737 Apr 25 2012 type.xml
[ /etc]#

[ /etc]# find / -name "policy.xml"
/usr/share/selinux/devel/policy.xml
There is no policy file for ImageMagick on the rhel 5 instances. Other are having that problem too.
https://access.redhat.com/security/vuln ... 1#comments
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Post by fmw42 »

I guess 6.2.8 was prior to the creation of policy.xml, unless it was accidentally deleted on your system. However, as I am not a developer, I will defer to the IM developers for a proper answer.
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Post by fmw42 »

I checked the oldest version for which I access, 6.3.7.9 and it does not have a policy.xml file. So policy.xml must be a more current addition to IM. So you will need to hear back from the IM developers regarding how to handle this issue.
nakadoma
Posts: 8
Joined: 2016-05-04T17:14:08-07:00
Authentication code: 1151

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Post by nakadoma »

This is true for all of our rhel5 boxes and other rhel 5 servers seem to be experiencing the same problem. For Developers do we need to try an update this package. Please see the link other people are experiencing this problem on rhel5. Its in the comments section. https://access.redhat.com/security/vuln ... 1#comments
nakadoma
Posts: 8
Joined: 2016-05-04T17:14:08-07:00
Authentication code: 1151

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Post by nakadoma »

Thanks fmw42. I will wait for their reply thanks.
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Post by fmw42 »

I think that if you upgrade to a version that has policy.xml, then you can add the extra policies to the file. Or better upgrade to the new 6.9.3.10 or IM 7.0.1.1 versions.
frEEk
Posts: 8
Joined: 2016-05-04T18:14:10-07:00
Authentication code: 1151

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Post by frEEk »

Even newer version (of CentOS at least) don't have policy.xml by default, you simply add the file to the config directory you discovered (that contains configure.xml). However, with 6.2 "convert -list policy" results in "convert: unrecognized list type `policy'." which suggests the policy file may not do anything.

It is possible that 6.2 isn't affected by this CVE. The ARS article for example mentioned "recent versions of ImageMagick".

Will just have to wait for a developer to confirm what versions of IM are affected.
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Is there a work around for RHEL 5 concerning the Imagemagic Security vulnerability

Post by fmw42 »

I think the issue is with allowing MVG and MSL and https: files, not with the policy.xml. The policy.xml file is the way to block those files until you can upgrade to IM 6.9.3.10 or 7.0.0.1 where a patch has been added so that they all are trapped by the policy for @. Those are the file types that allow the vulnerability to enter with malicious code.

So my thought is 6.2.8 is vulnerable and has no way to trap out those files without a policy.xml file. My guess is that 6.2.8 does not have code to recognize any policies.

But again, I will defer to the IM developers.
Post Reply