[BlueOnyx:19880] Re: GD image problem
fastreplies
fastreplies at shaw.ca
Sun Jul 24 20:16:35 -05 2016
Bad news Michael,
Should I change /etc/ImageMagick/policy.xml back or let it be just in case?
You can submit your resource to our directory (use Premium listing free of
charge of course) with oversized logo, image etc. and I will tell you
original size based on what we're getting.
Cheers
Bart
----- Original Message -----
From: "Michael Stauber" <mstauber at blueonyx.it>
To: "BlueOnyx General Mailing List" <blueonyx at mail.blueonyx.it>
Sent: Sunday, July 24, 2016 7:10 PM
Subject: [BlueOnyx:19879] Re: GD image problem
> Hi Bart,
>
>> One problem has been solved but... one more to go
>
>> eval 'use Image::Magick;';
>
> I almost suspect this has something to do with the recent ImageMagick
> vulnerabilities and the way how we closed them:
>
> https://imagetragick.com/
>
> I applied the fixes mentioned on that site against our
> /etc/ImageMagick/policy.xml config file. Eventually RedHat also threw
> out a bunch of fixes for ImageMagick to close these holes:
>
> [root at 5209r web]# rpm -q --changelog ImageMagick
> * Do Jun 02 2016 Jan Horak <jhorak at redhat.com> - 6.7.8.9-15
> - Added fix for CVE-2016-5118, CVE-2016-5240, rhbz#1269562,
> rhbz#1326834, rhbz#1334188, rhbz#1269553
>
> * Do Mai 05 2016 Jan Horak <jhorak at redhat.com> - 6.7.8.9-13
> - Add fix for CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717
>
> * Di Feb 02 2016 Jan Horak <jhorak at redhat.com> - 6.7.8.9-11
> - Fixed crash when processing .exr files (rhbz#1303227)
>
> In between that might have broken something that used to work before.
>
> My suggestion:
>
> Open /etc/ImageMagick/policy.xml in an editor and take a look. You will
> see two lines like this:
>
> <!-- <policy domain="resource" name="time" value="3600"/> -->
> <policy domain="coder" rights="none" pattern="EPHEMERAL" />
>
> The first line shown here is commented out. The 2nd one is in effect.
>
> Comment out all lines at the bottom in the same fashion.
>
> That will leave you with something like this:
>
> <policymap>
> <!-- <policy domain="system" name="precision" value="6"/> -->
> <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
> <!-- <policy domain="resource" name="memory" value="2GiB"/> -->
> <!-- <policy domain="resource" name="map" value="4GiB"/> -->
> <!-- <policy domain="resource" name="area" value="1GB"/> -->
> <!-- <policy domain="resource" name="disk" value="16EB"/> -->
> <!-- <policy domain="resource" name="file" value="768"/> -->
> <!-- <policy domain="resource" name="thread" value="4"/> -->
> <!-- <policy domain="resource" name="throttle" value="0"/> -->
> <!-- <policy domain="resource" name="time" value="3600"/> -->
> <!-- <policy domain="coder" rights="none" pattern="EPHEMERAL" /> -->
> <!-- <policy domain="coder" rights="none" pattern="HTTPS" /> -->
> <!-- <policy domain="coder" rights="none" pattern="HTTP" /> -->
> <!-- <policy domain="coder" rights="none" pattern="URL" /> -->
> <!-- <policy domain="coder" rights="none" pattern="FTP" /> -->
> <!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
> <!-- <policy domain="coder" rights="none" pattern="MSL" /> -->
> <!-- <policy domain="coder" rights="none" pattern="TEXT" /> -->
> <!-- <policy domain="coder" rights="none" pattern="LABEL" /> -->
> <!-- <policy domain="path" rights="none" pattern="@*" /> -->
> </policymap>
>
> Then see if your script works. If it does, then we know the modified
> policies are responsible and that they are more restrictive than you
> need them to be.
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
More information about the Blueonyx
mailing list