Re: [CentOS] ImageMagick security alert

John Hodrien Wed, 04 May 2016 06:15:47 -0700

On Wed, 4 May 2016, Nux! wrote:

Direct links


https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714

Mitigation:

As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable
processing of MVG, HTTPS, EPHEMERAL and MSL commands within image files, simply
add the following lines:
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />

within the policy map stanza:

<policymap>
...
</policymap>


This has been extended to:

<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />

Policy support not in EL5 AFAIK.

jh
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ImageMagick security alert

Reply via email to