As CentOS is often used for web servers, I thought this should be posted here.
Bug in ImageMagick allows remote exploit.
AFAIK no patch exists yet but defense against the exploit is detailed at the link.
CVE-2016–3714
Direct links
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p... https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714
Mitigation:
As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, EPHEMERAL and MSL commands within image files, simply add the following lines:
<policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" />
within the policy map stanza:
<policymap> ... </policymap>
-- Sent from the Delta quadrant using Borg technology!
Nux! www.nux.ro
----- Original Message -----
From: "Alice Wonder" alice@domblogger.net To: "CentOS mailing list" centos@centos.org Sent: Tuesday, 3 May, 2016 22:29:19 Subject: [CentOS] ImageMagick security alert
As CentOS is often used for web servers, I thought this should be posted here.
Bug in ImageMagick allows remote exploit.
AFAIK no patch exists yet but defense against the exploit is detailed at the link.
CVE-2016–3714 _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Wed, 4 May 2016, Nux! wrote:
Direct links
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p... https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714
Mitigation:
As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, EPHEMERAL and MSL commands within image files, simply add the following lines:
<policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" />
within the policy map stanza:
<policymap> ... </policymap>
This has been extended to:
<policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="HTTP" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="FTP" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" />
Policy support not in EL5 AFAIK.
jh
On 05/04/2016 08:15 AM, John Hodrien wrote:
On Wed, 4 May 2016, Nux! wrote:
Direct links
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p...
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714
Mitigation:
As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, EPHEMERAL and MSL commands within image files, simply add the following lines:
<policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" />
within the policy map stanza:
<policymap> ... </policymap>
This has been extended to:
<policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="HTTP" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="FTP" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" />
Policy support not in EL5 AFAIK.
Here is a workaround for el5, el6, and el7:
On 05/06/2016 07:02 PM, Johnny Hughes wrote:
On 05/04/2016 08:15 AM, John Hodrien wrote:
On Wed, 4 May 2016, Nux! wrote:
Direct links
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p...
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714
Mitigation:
As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, EPHEMERAL and MSL commands within image files, simply add the following lines:
<policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" />
within the policy map stanza:
<policymap> ... </policymap>
This has been extended to:
<policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="HTTP" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="FTP" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" />
Policy support not in EL5 AFAIK.
Here is a workaround for el5, el6, and el7:
And more info here:
https://access.redhat.com/security/vulnerabilities/2296071
If you are using CentOS-5 .. make SURE you do the fix, they say the are NOT issuing a fix for it (see the "Resolve" tag in the link).
-
Alice Wonder -
John Hodrien -
Johnny Hughes -
Nux!