Page 1 of 1
Imagemagick security issue local install
Posted: 2016-05-04T01:06:54-07:00
by LotusE
Hi,
I just read about the security issue in imagemagick. I'm using the imagemagick install on a local windows system, so not a webserver.
Am I affected by this issue too or is it only if you have imagemagick on a webserver install?
Thanks in advance for the information!
Kind regards
Steve
Re: Imagemagick security issue local install
Posted: 2016-05-04T01:36:11-07:00
by LotusE
Just a bit more info: I use Imagemagick to process files I receive from our customers, I download these from ftp to the local system and then process them with Imagemagick locally using the imagemagick dll. Is this setup also affected?
Re: Imagemagick security issue local install
Posted: 2016-05-04T03:33:17-07:00
by magick
The exploit is narrow in scope. You must allow direct access to the ImageMagick utilities or API to remote users and permit them to render MVG or MSL or specify unsanitized filenames and access the HTTPS coder.
Re: Imagemagick security issue local install
Posted: 2016-05-04T10:32:35-07:00
by seren
From what I understand, yes, you would be vulnerable if a customer created a malicious file which you then downloaded and processed, providing you haven't updated your policy.xml to block the vulnerable coders.
Re: Imagemagick security issue local install
Posted: 2016-05-04T10:43:21-07:00
by fmw42
My understanding is that (prior to 6.9.3-10 or 7.0.1-1) if you do not need to allow your users to use MVG (Magick Vector Files) for drawing, or MSL files (Magick Scripting Language) or download input images via https directly in your command lines (convert https://.../someimage ...), then add these policies to your policy.xml file. If your users need these features, then leave them out, but you are then susceptible to malicious user's attacks via these mechanisms. The Imagemagick Developers can correct me here, if I have misunderstood.
See MVG and MSL at
http://www.imagemagick.org/script/formats.php
http://www.imagemagick.org/script/magic ... aphics.php
http://www.imagemagick.org/Usage/draw/#reading
http://www.imagemagick.org/Usage/files/#read
http://www.imagemagick.org/Usage/basics/#arg_percent (regarding @filename)
Re: Imagemagick security issue local install
Posted: 2016-05-04T10:56:51-07:00
by magick
If you need to use MVG or MSL, upgrade to ImageMagick 6.9.3-10 or 7.0.1-1 and include this in your policy.xml file:
- <policy domain="path" rights="none" pattern="@*" />
These versions of ImageMagick include patches to prevent the exploits in concert with the above policy statement.