CloudLinux - CloudLinux Blog - ImageMagick Filtering Vulnerability - CVE-2016-3714
CloudLinux OS Blog

ImageMagick Filtering Vulnerability - CVE-2016-3714

ImageMagick Filtering Vulnerability - CVE-2016-3714

A critical vulnerability was found in ImageMagick which allows remote code to be executed during the conversion of several file formats. There is no proper fix for this other then disabling processing vulnerable commands within image files.

We are preparing imagemagick packages with those policies configured however you may fix it yourself editing few files:

/opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml
/opt/cloudlinux/lib/ImageMagick-6.5.4/config/policy.xml
/etc/ImageMagick/policy.xml

Add the following lines in the section:


...







Then execute:

cagefsctl --force-update

More information:

https://access.redhat.com/security/vulnerabilities/2296071
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714

Ubuntu LTS 16.04 includes livepatch - now what?
How to use a single key to register multiple Kerne...
 

Comments 2

Guest - Dragos on Thursday, 05 May 2016 15:25

ImageMagick 6.2.8 that comes with CentOS5, doesn't support the policy list type. For this release, the workaround (at least on the cloudlinux-ImageMagick-6.2.x package) should be a rename of the library files (mvg, msl and label), that can be used along with this vulnerability:

mv /opt/cloudlinux/lib/ImageMagick-6.2.8/modules-Q16/coders/mvg.so /opt/cloudlinux/lib/ImageMagick-6.2.8/modules-Q16/coders/mvg.so.bak
mv /opt/cloudlinux/lib/ImageMagick-6.2.8/modules-Q16/coders/msl.so /opt/cloudlinux/lib/ImageMagick-6.2.8/modules-Q16/coders/msl.so.bak
mv /opt/cloudlinux/lib/ImageMagick-6.2.8/modules-Q16/coders/label.so /opt/cloudlinux/lib/ImageMagick-6.2.8/modules-Q16/coders/label.so.bak

(paths might differ for 64bit). Should we expect an update of the cloudlinux-ImageMagick package? IM has already released 7.0.1-1 to address this.

ImageMagick 6.2.8 that comes with CentOS5, doesn't support the policy list type. For this release, the workaround (at least on the cloudlinux-ImageMagick-6.2.x package) should be a rename of the library files (mvg, msl and label), that can be used along with this vulnerability: mv /opt/cloudlinux/lib/ImageMagick-6.2.8/modules-Q16/coders/mvg.so /opt/cloudlinux/lib/ImageMagick-6.2.8/modules-Q16/coders/mvg.so.bak mv /opt/cloudlinux/lib/ImageMagick-6.2.8/modules-Q16/coders/msl.so /opt/cloudlinux/lib/ImageMagick-6.2.8/modules-Q16/coders/msl.so.bak mv /opt/cloudlinux/lib/ImageMagick-6.2.8/modules-Q16/coders/label.so /opt/cloudlinux/lib/ImageMagick-6.2.8/modules-Q16/coders/label.so.bak (paths might differ for 64bit). Should we expect an update of the cloudlinux-ImageMagick package? IM has already released 7.0.1-1 to address this.
carpinteyrolxc carpinteyroxxnYU on Thursday, 05 May 2016 17:39

Hello,

Please find the information on new ImageMagick updates on the link https://cloudlinux.com/cloudlinux-os-blog/entry/imagemagic-for-cl-6-and-alt-imagemagic-updated

Hello, Please find the information on new ImageMagick updates on the link https://cloudlinux.com/cloudlinux-os-blog/entry/imagemagic-for-cl-6-and-alt-imagemagic-updated
Already Registered? Login Here
Guest
Tuesday, 31 March 2020

Captcha Image