Legacy ImageMagick Discussions Archive

Good day,

I am currently working for the fix to address the vulnerability issue stated here. https://imagetragick.com/#policy
I'm using SuSE Linux Enterprise Server 10. I can't find the policy.xml file that is suggested to be modified to solve the problem. I found some fix that can be applied to SUSE linux but can't find the right one for the server version that I am using. Does anybody have an idea how can I address this issue to the server that I am using now? Your response will be much appreciated.

You should say what version of IM you use.

It may be an old version, before policy.xml was used. If so, I suggest you upgrade to the current v6 release.

However, such an old IM version may need commands to be changed to work with the current v6.

Thank you for the response. I'm using IM 6.4.5
I tried the option to modify the delegate.xml file. It address the issue with HTTPS but not the 'Label' pseudo protocol.

IM 6.4.5 is ancient (nearly 500 versions old). I would suggest you upgrade. It is likely too old to have a policy.xml.

See viewtopic.php?f=1&t=29727#p133471

Which version is the most stable?

Upgrade to the latest version of IM 6 or IM 7

Thanks for the feedback.

Will the modification of policy.xml file for newer version resolve the issue? Is there any disadvantage or bad effect on your application when you apply the modification?

The modification is there in the current release. If you want the security, then you may have to work around using things like label:@filename.txt or label:@-, since those will now be blocked by the fix. See the various posts in the Developers and Announce forums.

Great. Thank you for the information.