Friday, May 06, 2016

ImageMagick Interim Fix

A vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users. According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.

Update your /etc/ImageMagick/policy.xml file so that it contains the code taken from http://imagetragick.com  and restart corresponding daemons.

You're safe now. The full fix is still being worked out.

And if you have the old version of ImageMagick (because you are on CentOS 5, for example) which doesn't support policy.xml, you can edit delegates.xml, by removing all delegates just to be safe. The file will be somewhere around: /usr/lib64/ImageMagick-6.2.8/config/

RESOURCES
https://en.wikipedia.org/wiki/ImageMagick

https://it.slashdot.org/story/16/05/06/1516254/huge-number-of-sites-imperiled-by-critical-image-processing-vulnerability

http://fmwconcepts.com/imagemagick/

In a terminal type
$ display
and the ImageMagick native GUI appears.
If you want to create an application luncher with the logo then the icon is in the folder
/usr/share/doc/imagemagick/www/Magick++/ImageMagick.png

No comments: