[CentOS] ImageMagick security alert

Sat May 7 00:02:07 UTC 2016
Johnny Hughes <johnny at centos.org>

On 05/04/2016 08:15 AM, John Hodrien wrote:
> On Wed, 4 May 2016, Nux! wrote:
> 
>> Direct links
>>
>> https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714
>>
>> Mitigation:
>>
>> As a workaround the /etc/ImageMagick/policy.xml file can be edited to
>> disable
>> processing of MVG, HTTPS, EPHEMERAL and MSL commands within image
>> files, simply
>> add the following lines:
>> <policy domain="coder" rights="none" pattern="EPHEMERAL" />
>> <policy domain="coder" rights="none" pattern="HTTPS" />
>> <policy domain="coder" rights="none" pattern="MVG" />
>> <policy domain="coder" rights="none" pattern="MSL" />
>>
>> within the policy map stanza:
>>
>> <policymap>
>> ...
>> </policymap>
> 
> This has been extended to:
> 
> <policy domain="coder" rights="none" pattern="EPHEMERAL" />
> <policy domain="coder" rights="none" pattern="HTTPS" />
> <policy domain="coder" rights="none" pattern="HTTP" />
> <policy domain="coder" rights="none" pattern="URL" />
> <policy domain="coder" rights="none" pattern="FTP" />
> <policy domain="coder" rights="none" pattern="MVG" />
> <policy domain="coder" rights="none" pattern="MSL" />
> 
> Policy support not in EL5 AFAIK.

Here is a workaround for el5, el6, and el7:

https://bugzilla.redhat.com/show_bug.cgi?id=1332492#c3


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20160506/db500b68/attachment-0005.sig>