Peppermint OS Community Forum

General => GNU/Linux Discussion => Topic started by: GNULINUX on May 03, 2016, 05:52:57 pm

Title: ImageMagick multiple vulnerabilities [SOLVED]
Post by: GNULINUX on May 03, 2016, 05:52:57 pm
Quote
There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.
Multiple vulnerabilities in ImageMagick (https://imagetragick.com/)

I'm not sure if this only affects web services?

Quote
Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”. The below policy.xml example will disable the coders EPHEMERAL, URL, MVG, and MSL.

Should we also add the suggested lines to policy.xml?

Code: [Select]
<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />
</policymap>

Thanks for your answer!  ;)
Title: Re: ImageMagick multiple vulnerabilities
Post by: Alex on May 03, 2016, 06:00:07 pm
Hi, GNULINUX.
http://www.imagemagick.org/script/contact.php
I don't understand about ImageMagick vulnerabilities, but you should send your questions to Imagemagick developers.
Cheers.
Title: Re: ImageMagick multiple vulnerabilities
Post by: scifidude79 on May 03, 2016, 11:17:54 pm
If you don't know the answer to something, it's perfectly acceptable to not reply.  Somebody else here may know the answer to this without contacting the developers.  This question is relevant to Linux and Peppermint as many Linux image programs use the ImageMagick libraries.
Title: Re: ImageMagick multiple vulnerabilities
Post by: PCNetSpec on May 04, 2016, 06:39:25 am
Whilst I'm still trying to get my head around the exploit mechanism, I'd say YES if you use imagemagick to manipulate images from downloaded sources it can't hurt to add those policy change mitigations.

Though it's extremely unlikely that home users would (or could) be targeted, I can't at this point say its an impossibility.

Peppermint 6 does not have imagemagick installed by default, but a lot of other packages depend on it so probably worth checking if you have it installed.

The thing I'm finding so worrying about this is not so much that home users might be vulnerable, but that in 16.04 imagemagick *IS* installed by default and is a dependency of cups-filters/cups so there's not even the option to remove it unless you want to also remove the ability to print ::)

BTW, imagemagick is NOT installed on the Peppermint servers :)
Title: Re: ImageMagick multiple vulnerabilities
Post by: scifidude79 on May 04, 2016, 09:59:57 am
Inkscape requires it, (or, at least it requires the imagemagick-common package) so I have it installed.

That sucks that it's now required for CUPS.  Like you said, remove that and you can't print.
Title: Re: ImageMagick multiple vulnerabilities
Post by: PCNetSpec on May 04, 2016, 10:45:03 am
I suspect they'll fix it pretty sharpish :)

Unless of course they wanna be strung up by a bunch of irate sysadmins  >:(
Title: Re: ImageMagick multiple vulnerabilities
Post by: GNULINUX on May 04, 2016, 11:32:05 am
Thanks for your answers!  8)

I asked because I have it installed and IF I would remove it, conky-manager would also be uninstalled and we don't want that!
Spoiler (click here to view / hide)
(http://i.imgur.com/Wd7ttlV.png)
[close]


Ok, I'm going to wait for the patch/fix and hope they're already working on it!

Greets!  ;)
Title: Re: ImageMagick multiple vulnerabilities
Post by: scifidude79 on May 04, 2016, 02:29:08 pm
Unless of course they wanna be strung up by a bunch of irate sysadmins  >:(

Yeah, you're talking about a group that sharpens the pitchforks quickly.
Title: Re: ImageMagick multiple vulnerabilities
Post by: GNULINUX on May 05, 2016, 12:54:45 pm
Updated my original post to match the new info!  ;)

Read more: Multiple vulnerabilities in ImageMagick (Updated) (https://imagetragick.com/)

Greets!
Title: Re: ImageMagick multiple vulnerabilities
Post by: GNULINUX on June 02, 2016, 02:58:35 pm
Fixed:  ADVISORY - 2nd June 2016 - Update your Peppermint system. (https://forum.peppermintos.com/index.php/topic,3589.0.html)

[SOLVED]  :)
Title: Re: ImageMagick multiple vulnerabilities [SOLVED]
Post by: PCNetSpec on June 02, 2016, 03:09:41 pm
Thanks GNULINUX :)