On 05/04/2016 08:15 AM, John Hodrien wrote:
On Wed, 4 May 2016, Nux! wrote:
Direct links
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p...
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714
Mitigation:
As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, EPHEMERAL and MSL commands within image files, simply add the following lines:
<policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" />
within the policy map stanza:
<policymap> ... </policymap>
This has been extended to:
<policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="HTTP" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="FTP" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" />
Policy support not in EL5 AFAIK.
Here is a workaround for el5, el6, and el7: