Page 1 of 1
Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?
Posted: 2018-05-29T16:06:11-07:00
by Syntaf
As the title states. In reference to
viewtopic.php?f=4&t=29588 , do I still need to apply a
none right to the https coder?
I attempted to search around but found the versioning pretty confusing. Looks like it was only fixed in versions > 7 ?
https://github.com/ImageMagick/ImageMag ... eLog#L1015
Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?
Posted: 2018-05-29T16:30:49-07:00
by fmw42
What does
show.
And/or look at your policy.xml file and see what it show for HTTPS.
Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?
Posted: 2018-05-29T16:34:41-07:00
by fmw42
Also see
http://www.imagemagick.org/script/resources.php for a list of the locations of the policy.xml file. You can edit that if you need to disable HTTPS.
Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?
Posted: 2018-05-29T16:36:09-07:00
by Syntaf
We are currently denying access to https as the announcement post recommended, so it looks like
Code: Select all
<policymap>
<!-- The following are consitered "Sane" defaults and can be tweaked -->
<!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
<policy domain="resource" name="memory" value="256MiB"/>
<policy domain="resource" name="map" value="512MiB"/>
<policy domain="resource" name="width" value="8KP"/>
<policy domain="resource" name="height" value="8KP"/>
<policy domain="resource" name="area" value="128MB"/>
<policy domain="resource" name="disk" value="1GiB"/>
<policy domain="resource" name="file" value="768"/>
<policy domain="resource" name="thread" value="2"/>
<policy domain="resource" name="throttle" value="0"/>
<policy domain="resource" name="time" value="300"/>
<!-- The following is a workaround for CVE-2016-3714 -->
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="path" rights="none" pattern="@*" />
</policymap>
However i've switched the https rights to
read, and haven't been able to successful execute an exploit listed on
https://imagetragick.com/ so far. I haven't tested them all yet, but it looks like things like MVG images are fixed (changing the name of an MVG and trying to identify it will give permission violations, and the shell character vulnerability does not seem to work either).
Re: Does ImageMagick ImageMagick-6.7.8.9-15.el7_2.x86_64 still require the vulnerability patch?
Posted: 2018-05-29T16:49:05-07:00
by fmw42
I will let the IM developers respond from here. Where did you edit the policy.xml file? In which directory?