[CentOS] ImageMagick security alert

Wed May 4 07:24:01 UTC 2016
Nux! <nux at li.nux.ro>

Direct links

https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714

Mitigation:

As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, EPHEMERAL and MSL commands within image files, simply add the following lines:

<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />

within the policy map stanza:

<policymap>
...
</policymap>

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Alice Wonder" <alice at domblogger.net>
> To: "CentOS mailing list" <centos at centos.org>
> Sent: Tuesday, 3 May, 2016 22:29:19
> Subject: [CentOS] ImageMagick security alert

> https://imagetragick.com/
> 
> As CentOS is often used for web servers, I thought this should be posted
> here.
> 
> Bug in ImageMagick allows remote exploit.
> 
> AFAIK no patch exists yet but defense against the exploit is detailed at
> the link.
> 
> CVE-2016–3714
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos