[CentOS] ImageMagick security alert

Sat May 7 00:05:46 UTC 2016
Johnny Hughes <johnny at centos.org>

On 05/06/2016 07:02 PM, Johnny Hughes wrote:
> On 05/04/2016 08:15 AM, John Hodrien wrote:
>> On Wed, 4 May 2016, Nux! wrote:
>>
>>> Direct links
>>>
>>> https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714
>>>
>>> Mitigation:
>>>
>>> As a workaround the /etc/ImageMagick/policy.xml file can be edited to
>>> disable
>>> processing of MVG, HTTPS, EPHEMERAL and MSL commands within image
>>> files, simply
>>> add the following lines:
>>> <policy domain="coder" rights="none" pattern="EPHEMERAL" />
>>> <policy domain="coder" rights="none" pattern="HTTPS" />
>>> <policy domain="coder" rights="none" pattern="MVG" />
>>> <policy domain="coder" rights="none" pattern="MSL" />
>>>
>>> within the policy map stanza:
>>>
>>> <policymap>
>>> ...
>>> </policymap>
>>
>> This has been extended to:
>>
>> <policy domain="coder" rights="none" pattern="EPHEMERAL" />
>> <policy domain="coder" rights="none" pattern="HTTPS" />
>> <policy domain="coder" rights="none" pattern="HTTP" />
>> <policy domain="coder" rights="none" pattern="URL" />
>> <policy domain="coder" rights="none" pattern="FTP" />
>> <policy domain="coder" rights="none" pattern="MVG" />
>> <policy domain="coder" rights="none" pattern="MSL" />
>>
>> Policy support not in EL5 AFAIK.
> 
> Here is a workaround for el5, el6, and el7:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1332492#c3

And more info here:

https://access.redhat.com/security/vulnerabilities/2296071

If you are using CentOS-5 .. make SURE you do the fix, they say the are
NOT issuing a fix for it (see the "Resolve" tag in the link).



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20160506/fefec3a0/attachment-0004.sig>