Legacy ImageMagick Discussions Archive

We have recently received vulnerability reports for certain coders, they include possible remote code execution and ability to render files on the local system. The ImageMagick policy was developed many years ago to help prevent possible exploits and is discussed here: https://www.imagemagick.org/discourse-s ... =4&t=26801. To prevent these possible exploits, simply add

• <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />

to your policy.xml file. For HTTPS, you can also remove support by deleting it from the delegates.xml configuration file.

We have secured the delegates in ImageMagick 7.0.1-9 and 6.9.4-7 by sanitizing the parameters. This release also supports a new policy that prevents indirect reads:

• <policy domain="path" rights="none" pattern="@*" />

Pipes are disabled by default unless the --enable-pipes option is given on the configure script command line.

In these releases, reading MVG and MSL scripts are explicit. For example, if your script is named my_graph.mvg, to render it, use a filename of mvg:my_graph.mvg. Text is also explict, e.g. text:myText.txt. We also no longer support the EPHEMERAL coder, previously an internal coder that could remove a file as ImageMagick exits.

You can verify your policies with this command:
Do not post questions or comments here. This forum is for announcements only. Instead post to the Developers forum as separate posts for different types of issues or platform questions, etc. Don't tack onto an unrelated question. See viewtopic.php?f=4&t=29599, which is the very top-most post in this forum.