nativeInstaller

2016-05-04 ImageTragick: Remote execution vulnerability (CVE-2016-3714)

Several security vulnerabilities have been recently discovered for certain ImageMagick coders. Specifically, the vulnerabilities include possible remote code execution and the ability to render files on the local system.

A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP’s Imagick, Ruby’s RMagick and Paperclip, and Node.js’s imagemagick.

Find more information about the vulnerability on the ImageTragick website.

How to patch it

If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities with these steps:

  • Edit the installdir/common/lib/ImageMagick-6.7.5/config/policy.xml file of ImageMagick and add the following policy rules:

    <policymap>
      <policy domain="coder" rights="none" pattern="EPHEMERAL" />
      <policy domain="coder" rights="none" pattern="URL" />
      <policy domain="coder" rights="none" pattern="HTTPS" />
      <policy domain="coder" rights="none" pattern="MVG" />
      <policy domain="coder" rights="none" pattern="MSL" />
      <policy domain="coder" rights="none" pattern="TEXT" />
      <policy domain="coder" rights="none" pattern="SHOW" />
      <policy domain="coder" rights="none" pattern="WIN" />
      <policy domain="coder" rights="none" pattern="PLT" />
    </policymap>
    
  • Verify your policies with the following command:

    $ convert -list policy
    

Below is an example of the policy output:

Path: [built-in]
  Policy: Undefined
    rights: None
Path: installdir/common/lib/ImageMagick-6.7.5/config/policy.xml
  Policy: Coder
    rights: None
    pattern: EPHEMERAL
  Policy: Coder
    rights: None
    pattern: URL
  Policy: Coder
    rights: None
    pattern: HTTPS
  Policy: Coder
    rights: None
    pattern: MVG
  Policy: Coder
    rights: None
    pattern: MSL