Re: [CentOS] ImageMagick security alert

On Wed, 4 May 2016, Nux! wrote:

Direct links

https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p... https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714

Mitigation:

As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, EPHEMERAL and MSL commands within image files, simply add the following lines:

<policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" />

within the policy map stanza:

<policymap> ... </policymap>

This has been extended to:

<policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="HTTP" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="FTP" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" />

Policy support not in EL5 AFAIK.

jh