As the title states. In reference to viewtopic.php?f=4&t=29588 , do I still need to apply a none right to the https coder?
I attempted to search around but found the versioning pretty confusing. Looks like it was only fixed in versions > 7 ? https://github.com/ImageMagick/ImageMag ... eLog#L1015
Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?
-
fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?
What does
show.
And/or look at your policy.xml file and see what it show for HTTPS.
Code: Select all
convert -list policyAnd/or look at your policy.xml file and see what it show for HTTPS.
-
fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?
Also see http://www.imagemagick.org/script/resources.php for a list of the locations of the policy.xml file. You can edit that if you need to disable HTTPS.
Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?
We are currently denying access to https as the announcement post recommended, so it looks like
However i've switched the https rights to read, and haven't been able to successful execute an exploit listed on https://imagetragick.com/ so far. I haven't tested them all yet, but it looks like things like MVG images are fixed (changing the name of an MVG and trying to identify it will give permission violations, and the shell character vulnerability does not seem to work either).
Code: Select all
<policymap>
<!-- The following are consitered "Sane" defaults and can be tweaked -->
<!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
<policy domain="resource" name="memory" value="256MiB"/>
<policy domain="resource" name="map" value="512MiB"/>
<policy domain="resource" name="width" value="8KP"/>
<policy domain="resource" name="height" value="8KP"/>
<policy domain="resource" name="area" value="128MB"/>
<policy domain="resource" name="disk" value="1GiB"/>
<policy domain="resource" name="file" value="768"/>
<policy domain="resource" name="thread" value="2"/>
<policy domain="resource" name="throttle" value="0"/>
<policy domain="resource" name="time" value="300"/>
<!-- The following is a workaround for CVE-2016-3714 -->
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="path" rights="none" pattern="@*" />
</policymap>-
fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?
I will let the IM developers respond from here. Where did you edit the policy.xml file? In which directory?