Choose style:

Author Topic: ImageMagick multiple vulnerabilities [SOLVED]  (Read 1611 times)

0 Members and 1 Guest are viewing this topic.

Offline GNULINUX

  • Trusted User
  • Member
  • *****
  • Posts: 987
  • Karma: 311
    • View Profile
  • Peppermint version(s): Peppermint Six (x64)
ImageMagick multiple vulnerabilities [SOLVED]
« on: May 03, 2016, 05:52:57 pm »
Quote
There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.
Multiple vulnerabilities in ImageMagick

I'm not sure if this only affects web services?

Quote
Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”. The below policy.xml example will disable the coders EPHEMERAL, URL, MVG, and MSL.

Should we also add the suggested lines to policy.xml?

Code: [Select]
<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />
</policymap>

Thanks for your answer!  ;)
« Last Edit: June 02, 2016, 02:59:20 pm by GNULINUX »
Peppermint 6  (x64)   -   Windows 7 Ultimate SP1  (x64)
Running different OS flavors in VirtualBox, just for fun!

Offline Alex

  • Jr. Member
  • **
  • Posts: 98
  • Karma: 8
    • View Profile
Re: ImageMagick multiple vulnerabilities
« Reply #1 on: May 03, 2016, 06:00:07 pm »
Hi, GNULINUX.
http://www.imagemagick.org/script/contact.php
I don't understand about ImageMagick vulnerabilities, but you should send your questions to Imagemagick developers.
Cheers.

Offline scifidude79

  • Global Moderator
  • Hero
  • *****
  • Posts: 4029
  • Karma: 863
    • View Profile
  • Peppermint version(s): Peppermint 9
Re: ImageMagick multiple vulnerabilities
« Reply #2 on: May 03, 2016, 11:17:54 pm »
If you don't know the answer to something, it's perfectly acceptable to not reply.  Somebody else here may know the answer to this without contacting the developers.  This question is relevant to Linux and Peppermint as many Linux image programs use the ImageMagick libraries.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25718
  • Karma: 2821
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Re: ImageMagick multiple vulnerabilities
« Reply #3 on: May 04, 2016, 06:39:25 am »
Whilst I'm still trying to get my head around the exploit mechanism, I'd say YES if you use imagemagick to manipulate images from downloaded sources it can't hurt to add those policy change mitigations.

Though it's extremely unlikely that home users would (or could) be targeted, I can't at this point say its an impossibility.

Peppermint 6 does not have imagemagick installed by default, but a lot of other packages depend on it so probably worth checking if you have it installed.

The thing I'm finding so worrying about this is not so much that home users might be vulnerable, but that in 16.04 imagemagick *IS* installed by default and is a dependency of cups-filters/cups so there's not even the option to remove it unless you want to also remove the ability to print ::)

BTW, imagemagick is NOT installed on the Peppermint servers :)
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline scifidude79

  • Global Moderator
  • Hero
  • *****
  • Posts: 4029
  • Karma: 863
    • View Profile
  • Peppermint version(s): Peppermint 9
Re: ImageMagick multiple vulnerabilities
« Reply #4 on: May 04, 2016, 09:59:57 am »
Inkscape requires it, (or, at least it requires the imagemagick-common package) so I have it installed.

That sucks that it's now required for CUPS.  Like you said, remove that and you can't print.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25718
  • Karma: 2821
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Re: ImageMagick multiple vulnerabilities
« Reply #5 on: May 04, 2016, 10:45:03 am »
I suspect they'll fix it pretty sharpish :)

Unless of course they wanna be strung up by a bunch of irate sysadmins  >:(
« Last Edit: May 04, 2016, 10:47:28 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline GNULINUX

  • Trusted User
  • Member
  • *****
  • Posts: 987
  • Karma: 311
    • View Profile
  • Peppermint version(s): Peppermint Six (x64)
Re: ImageMagick multiple vulnerabilities
« Reply #6 on: May 04, 2016, 11:32:05 am »
Thanks for your answers!  8)

I asked because I have it installed and IF I would remove it, conky-manager would also be uninstalled and we don't want that!
Spoiler (click here to view / hide)
[close]


Ok, I'm going to wait for the patch/fix and hope they're already working on it!

Greets!  ;)
Peppermint 6  (x64)   -   Windows 7 Ultimate SP1  (x64)
Running different OS flavors in VirtualBox, just for fun!

Offline scifidude79

  • Global Moderator
  • Hero
  • *****
  • Posts: 4029
  • Karma: 863
    • View Profile
  • Peppermint version(s): Peppermint 9
Re: ImageMagick multiple vulnerabilities
« Reply #7 on: May 04, 2016, 02:29:08 pm »
Unless of course they wanna be strung up by a bunch of irate sysadmins  >:(

Yeah, you're talking about a group that sharpens the pitchforks quickly.

Offline GNULINUX

  • Trusted User
  • Member
  • *****
  • Posts: 987
  • Karma: 311
    • View Profile
  • Peppermint version(s): Peppermint Six (x64)
Re: ImageMagick multiple vulnerabilities
« Reply #8 on: May 05, 2016, 12:54:45 pm »
Updated my original post to match the new info!  ;)

Read more: Multiple vulnerabilities in ImageMagick (Updated)

Greets!
Peppermint 6  (x64)   -   Windows 7 Ultimate SP1  (x64)
Running different OS flavors in VirtualBox, just for fun!

Offline GNULINUX

  • Trusted User
  • Member
  • *****
  • Posts: 987
  • Karma: 311
    • View Profile
  • Peppermint version(s): Peppermint Six (x64)
Re: ImageMagick multiple vulnerabilities
« Reply #9 on: June 02, 2016, 02:58:35 pm »
Peppermint 6  (x64)   -   Windows 7 Ultimate SP1  (x64)
Running different OS flavors in VirtualBox, just for fun!

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25718
  • Karma: 2821
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Re: ImageMagick multiple vulnerabilities [SOLVED]
« Reply #10 on: June 02, 2016, 03:09:41 pm »
Thanks GNULINUX :)
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec