Loading...
 

Imagemagick


Security hole recently detected and published in imagemagick.
More info:
http://www.theregister.co.uk/2016/05/03/imagemagick/
https://imagetragick.com/

And updated files in ubuntu 14.04.x or centos 7.x. based OS's.


How to patch affected systems:

sudo nano /etc/ImageMagick/policy.xml

and add the policies within the appropriate section <policymap> :
<policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="HTTP" /> <policy domain="coder" rights="none" pattern="FTP" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> <policy domain="coder" rights="none" pattern="TEXT" /> <policy domain="coder" rights="none" pattern="SHOW" /> <policy domain="coder" rights="none" pattern="WIN" /> <policy domain="coder" rights="none" pattern="PLT" /> <policy domain="coder" rights="none" pattern="LABEL" /> <policy domain="path" rights="none" pattern="@*" />

BBB

https://groups.google.com/forum/#!topic/bigbluebutton-setup/s5zeNpg5M8I

Hi all, We use ImageMagick as a dependency in the BigBlueButton. We expect that Canonical will be updating the ImageMagick package very soon, but in the mean time your BigBlueButton servers have a vulnerable version of the package installed. The vulnerability can be exploited by uploading a crafted "png" or "jpg" file that actually contains an SVG or MSL file with exploit code as a presentation. We *strongly recommend* everyone update the policy.xml file as described https://imagetragick.com/#info Specifically, add the following: <policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> to /etc/ImageMagick/policy.xml For example <policymap> <!-- <policy domain="system" name="precision" value="6"/> --> <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> --> <!-- <policy domain="resource" name="memory" value="2GiB"/> --> <!-- <policy domain="resource" name="map" value="4GiB"/> --> <!-- <policy domain="resource" name="area" value="1GB"/> --> <!-- <policy domain="resource" name="disk" value="16EB"/> --> <!-- <policy domain="resource" name="file" value="768"/> --> <!-- <policy domain="resource" name="thread" value="4"/> --> <!-- <policy domain="resource" name="throttle" value="0"/> --> <!-- <policy domain="resource" name="time" value="3600"/> --> <policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> </policymap> There is no need to restart your BigBlueButton server. Once you edit the policy.xml your version of ImageMagick is no longer vulnerable. *We recommend that anyone running BigBlueButton (or any other server that uses imagemagic) do this now. * Regards,... Fred & Calvin
Image Seed: noun \ˈsēd\ : the beginning of something which continues to develop or grow

Knowledge seeds

Switch Language