ImageMagick vulnerability Issue

Questions and postings pertaining to the usage of ImageMagick regardless of the interface. This includes the command-line utilities, as well as the C and C++ APIs. Usage questions are like "How do I use ImageMagick to create drop shadows?".
Post Reply
jhepacios
Posts: 4
Joined: 2016-05-20T02:44:38-07:00
Authentication code: 1151

ImageMagick vulnerability Issue

Post by jhepacios »

Good day,

I am currently working for the fix to address the vulnerability issue stated here. https://imagetragick.com/#policy
I'm using SuSE Linux Enterprise Server 10. I can't find the policy.xml file that is suggested to be modified to solve the problem. I found some fix that can be applied to SUSE linux but can't find the right one for the server version that I am using. Does anybody have an idea how can I address this issue to the server that I am using now? Your response will be much appreciated.
snibgo
Posts: 12159
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: ImageMagick vulnerability Issue

Post by snibgo »

You should say what version of IM you use.

It may be an old version, before policy.xml was used. If so, I suggest you upgrade to the current v6 release.

However, such an old IM version may need commands to be changed to work with the current v6.
snibgo's IM pages: im.snibgo.com
jhepacios
Posts: 4
Joined: 2016-05-20T02:44:38-07:00
Authentication code: 1151

Re: ImageMagick vulnerability Issue

Post by jhepacios »

Thank you for the response. I'm using IM 6.4.5
I tried the option to modify the delegate.xml file. It address the issue with HTTPS but not the 'Label' pseudo protocol.
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: ImageMagick vulnerability Issue

Post by fmw42 »

IM 6.4.5 is ancient (nearly 500 versions old). I would suggest you upgrade. It is likely too old to have a policy.xml.

See viewtopic.php?f=1&t=29727#p133471
Mary1308
Posts: 1
Joined: 2016-05-07T06:28:06-07:00
Authentication code: 1151

Re: ImageMagick vulnerability Issue

Post by Mary1308 »

Which version is the most stable?
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: ImageMagick vulnerability Issue

Post by fmw42 »

Upgrade to the latest version of IM 6 or IM 7
jhepacios
Posts: 4
Joined: 2016-05-20T02:44:38-07:00
Authentication code: 1151

Re: ImageMagick vulnerability Issue

Post by jhepacios »

Thanks for the feedback.

Will the modification of policy.xml file for newer version resolve the issue? Is there any disadvantage or bad effect on your application when you apply the modification?
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: ImageMagick vulnerability Issue

Post by fmw42 »

The modification is there in the current release. If you want the security, then you may have to work around using things like label:@filename.txt or label:@-, since those will now be blocked by the fix. See the various posts in the Developers and Announce forums.
jhepacios
Posts: 4
Joined: 2016-05-20T02:44:38-07:00
Authentication code: 1151

Re: ImageMagick vulnerability Issue

Post by jhepacios »

Great. Thank you for the information.
Post Reply