[CentOS] ImageMagick security alert

Wed May 4 13:15:04 UTC 2016
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Wed, 4 May 2016, Nux! wrote:

> Direct links
>
> https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714
>
> Mitigation:
>
> As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable
> processing of MVG, HTTPS, EPHEMERAL and MSL commands within image files, simply
> add the following lines:
> <policy domain="coder" rights="none" pattern="EPHEMERAL" />
> <policy domain="coder" rights="none" pattern="HTTPS" />
> <policy domain="coder" rights="none" pattern="MVG" />
> <policy domain="coder" rights="none" pattern="MSL" />
>
> within the policy map stanza:
>
> <policymap>
> ...
> </policymap>

This has been extended to:

<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />

Policy support not in EL5 AFAIK.

jh