PDA

View Full Version : SLES 11 SP4 ImageMagick and CVE-2016-3714



skunkboy
05-May-2016, 15:10
Hello,

Recommended mitigation seems to be to tweak /etc/ImageMagick/policy.xml file but that does not appear to exist even with both ImageMagick packages installed.
Anyone know if I created this directory and file that the ImageMagick software will actually read the file?

Thanks,
Matt

malcolmlewis
05-May-2016, 15:31
On Thu 05 May 2016 02:14:01 PM CDT, skunkboy wrote:

Hello,

Recommended mitigation seems to be to tweak
/etc/ImageMagick/policy.xml file but that does not appear to exist even
with both ImageMagick packages installed.
Anyone know if I created this directory and file that the ImageMagick
software will actually read the file?

Thanks,
Matt




Hi
Looks like a fix is on the way;
https://bugzilla.suse.com/show_bug.cgi?id=978061

--
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.1|GNOME 3.16.2|4.1.20-11-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

skunkboy
05-May-2016, 15:31
To mitigate this I ended up doing the following :

vi /usr/lib64/ImageMagick-6.4.3/config/configure.xml
add
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="LABEL" />
<policy domain="path" rights="none" pattern="@*" />

cd /usr/lib64/ImageMagick-6.4.3/modules-Q16/coders

mv mvg.so mvg.so.bak
mv msl.so msl.so.bak
mv label.so label.so.bak

Matt

williamwu2016
10-May-2016, 11:43
To mitigate this I ended up doing the following :

vi /usr/lib64/ImageMagick-6.4.3/config/configure.xml
add
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="LABEL" />
<policy domain="path" rights="none" pattern="@*" />

cd /usr/lib64/ImageMagick-6.4.3/modules-Q16/coders

mv mvg.so mvg.so.bak
mv msl.so msl.so.bak
mv label.so label.so.bak

Matt

Hi Matt,

I tried your approach but don't work. I added the policy setting to configure.xml. However, I can still trigger the issue.

Thanks!
William

skunkboy
10-May-2016, 14:48
Hmm, well that sucks. All of the information I can find on how to mitigate this issue before any updates are issued lead me to believe that this should work.

skunkboy
12-May-2016, 18:24
Patch appears to be out for Suse 11 sp4 now ...