[BlueOnyx:19879] Re: GD image problem

Michael Stauber mstauber at blueonyx.it
Sun Jul 24 19:10:27 -05 2016 

Hi Bart,

> One problem has been solved but... one more to go

> eval 'use Image::Magick;';

I almost suspect this has something to do with the recent ImageMagick
vulnerabilities and the way how we closed them:

https://imagetragick.com/

I applied the fixes mentioned on that site against our
/etc/ImageMagick/policy.xml config file. Eventually RedHat also threw
out a bunch of fixes for ImageMagick to close these holes:

[root at 5209r web]# rpm -q --changelog ImageMagick
* Do Jun 02 2016 Jan Horak <jhorak at redhat.com> - 6.7.8.9-15
- Added fix for CVE-2016-5118, CVE-2016-5240, rhbz#1269562,
  rhbz#1326834, rhbz#1334188, rhbz#1269553

* Do Mai 05 2016 Jan Horak <jhorak at redhat.com> - 6.7.8.9-13
- Add fix for CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717

* Di Feb 02 2016 Jan Horak <jhorak at redhat.com> - 6.7.8.9-11
- Fixed crash when processing .exr files (rhbz#1303227)

In between that might have broken something that used to work before.

My suggestion:

Open /etc/ImageMagick/policy.xml in an editor and take a look. You will
see two lines like this:

  <!-- <policy domain="resource" name="time" value="3600"/> -->
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />

The first line shown here is commented out. The 2nd one is in effect.

Comment out all lines at the bottom in the same fashion.

That will leave you with something like this:

<policymap>
  <!-- <policy domain="system" name="precision" value="6"/> -->
  <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
  <!-- <policy domain="resource" name="memory" value="2GiB"/> -->
  <!-- <policy domain="resource" name="map" value="4GiB"/> -->
  <!-- <policy domain="resource" name="area" value="1GB"/> -->
  <!-- <policy domain="resource" name="disk" value="16EB"/> -->
  <!-- <policy domain="resource" name="file" value="768"/> -->
  <!-- <policy domain="resource" name="thread" value="4"/> -->
  <!-- <policy domain="resource" name="throttle" value="0"/> -->
  <!-- <policy domain="resource" name="time" value="3600"/> -->
  <!-- <policy domain="coder" rights="none" pattern="EPHEMERAL" /> -->
  <!-- <policy domain="coder" rights="none" pattern="HTTPS" /> -->
  <!-- <policy domain="coder" rights="none" pattern="HTTP" /> -->
  <!-- <policy domain="coder" rights="none" pattern="URL" /> -->
  <!-- <policy domain="coder" rights="none" pattern="FTP" /> -->
  <!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
  <!-- <policy domain="coder" rights="none" pattern="MSL" /> -->
  <!-- <policy domain="coder" rights="none" pattern="TEXT" /> -->
  <!-- <policy domain="coder" rights="none" pattern="LABEL" /> -->
  <!-- <policy domain="path" rights="none" pattern="@*" /> -->
</policymap>

Then see if your script works. If it does, then we know the modified
policies are responsible and that they are more restrictive than you
need them to be.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list