ImageMagick Security Alert

Home » CentOS » ImageMagick Security Alert

May 3, 2016 Alice Wonder CentOS 4 Comments

https://imagetragick.com/

As CentOS is often used for web servers, I thought this should be posted here.

Bug in ImageMagick allows remote exploit.

AFAIK no patch exists yet but defense against the exploit is detailed at the link.

CVE-2016–3714

4 thoughts on - ImageMagick Security Alert

Nux! says:

May 4, 2016 at 2:24 am

Direct links

https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714

Mitigation:

As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, EPHEMERAL and MSL commands within image files, simply add the following lines:

within the policy map stanza:
…
—
Sent from the Delta quadrant using Borg technology!

Nux!
http://www.nux.ro

—– Original Message —–
John Hodrien says:

May 4, 2016 at 8:15 am

This has been extended to:

Policy support not in EL5 AFAIK.

jh
Johnny Hughes says:

May 6, 2016 at 7:02 pm

–arfbUGcUvQfI80IICXMfxW1CT2oHmUj5j Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Here is a workaround for el5, el6, and el7:

https://bugzilla.redhat.com/show_bug.cgi?id=1332492#c3

–arfbUGcUvQfI80IICXMfxW1CT2oHmUj5j
Johnny Hughes says:

May 6, 2016 at 7:06 pm

–4NcTfpvtijb0hOxtV1etgcWTk3f6gEXJw Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

And more info here:

https://access.redhat.com/security/vulnerabilities/2296071

If you are using CentOS-5 .. make SURE you do the fix, they say the are NOT issuing a fix for it (see the “Resolve” tag in the link).

–4NcTfpvtijb0hOxtV1etgcWTk3f6gEXJw