Page 1 of 1
FYI: ImageMagick Exploit
Posted: 2018-08-21T08:15:03-07:00
by newser
TL;DR: I *strongly* suggest that distributions start disabling PS, EPS, PDF
and XPS coders in policy.xml by default.
$ convert input.jpg output.gif
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
http://openwall.com/lists/oss-security/2018/08/21/2
EDIT: Workaround here
https://twitter.com/drezil1985/status/1 ... 1336469504
Re: FYI: ImageMagick Exploit
Posted: 2018-08-21T12:47:49-07:00
by magick
ImageMagick best practices strongly encourages you to configure a security policy that suits your local environment. See
https://www.imagemagick.org/script/security-policy.php for a detailed discussion. Relevant to this potential exploit in Ghostscript, you can restrict ImageMagick to only web-safe image formats with these policies:
Code: Select all
<policy domain="delegate" rights="none" pattern="*" />
<policy domain="coder" rights="none" pattern="*" />
<policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
If you just want to disable Ghostscript, use this policy:
Code: Select all
<policy domain="coder" rights="none" pattern="{EPS,PS2,PS3,PS,PDF,XPS}" />
Re: FYI: ImageMagick Exploit
Posted: 2018-08-23T08:53:28-07:00
by Imaging
One additional note if just the GS related coders are disabled: It appears that PS2 and PS3 coders need to be disabled as well per:
https://www.kb.cert.org/vuls/id/332928