[BlueOnyx:19883] Re: GD image problem
fastreplies
fastreplies at shaw.ca
Mon Jul 25 16:32:21 -05 2016
Hello MIchael,
Weird thing...imagemagick apparently is working in phpBB... based on
security image generation test, which means we have problem with our
directory script.
Now, script is the same as before and would work on old 5106 server like a
charm, but now... what is missing?
Cheers
Bart
----- Original Message -----
From: "Michael Stauber" <mstauber at blueonyx.it>
To: "BlueOnyx General Mailing List" <blueonyx at mail.blueonyx.it>
Sent: Sunday, July 24, 2016 7:10 PM
Subject: [BlueOnyx:19879] Re: GD image problem
> Hi Bart,
>
>> One problem has been solved but... one more to go
>
>> eval 'use Image::Magick;';
>
> I almost suspect this has something to do with the recent ImageMagick
> vulnerabilities and the way how we closed them:
>
> https://imagetragick.com/
>
> I applied the fixes mentioned on that site against our
> /etc/ImageMagick/policy.xml config file. Eventually RedHat also threw
> out a bunch of fixes for ImageMagick to close these holes:
>
> [root at 5209r web]# rpm -q --changelog ImageMagick
> * Do Jun 02 2016 Jan Horak <jhorak at redhat.com> - 6.7.8.9-15
> - Added fix for CVE-2016-5118, CVE-2016-5240, rhbz#1269562,
> rhbz#1326834, rhbz#1334188, rhbz#1269553
>
> * Do Mai 05 2016 Jan Horak <jhorak at redhat.com> - 6.7.8.9-13
> - Add fix for CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717
>
> * Di Feb 02 2016 Jan Horak <jhorak at redhat.com> - 6.7.8.9-11
> - Fixed crash when processing .exr files (rhbz#1303227)
>
> In between that might have broken something that used to work before.
>
> My suggestion:
>
> Open /etc/ImageMagick/policy.xml in an editor and take a look. You will
> see two lines like this:
>
> <!-- <policy domain="resource" name="time" value="3600"/> -->
> <policy domain="coder" rights="none" pattern="EPHEMERAL" />
>
> The first line shown here is commented out. The 2nd one is in effect.
>
> Comment out all lines at the bottom in the same fashion.
>
> That will leave you with something like this:
>
> <policymap>
> <!-- <policy domain="system" name="precision" value="6"/> -->
> <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
> <!-- <policy domain="resource" name="memory" value="2GiB"/> -->
> <!-- <policy domain="resource" name="map" value="4GiB"/> -->
> <!-- <policy domain="resource" name="area" value="1GB"/> -->
> <!-- <policy domain="resource" name="disk" value="16EB"/> -->
> <!-- <policy domain="resource" name="file" value="768"/> -->
> <!-- <policy domain="resource" name="thread" value="4"/> -->
> <!-- <policy domain="resource" name="throttle" value="0"/> -->
> <!-- <policy domain="resource" name="time" value="3600"/> -->
> <!-- <policy domain="coder" rights="none" pattern="EPHEMERAL" /> -->
> <!-- <policy domain="coder" rights="none" pattern="HTTPS" /> -->
> <!-- <policy domain="coder" rights="none" pattern="HTTP" /> -->
> <!-- <policy domain="coder" rights="none" pattern="URL" /> -->
> <!-- <policy domain="coder" rights="none" pattern="FTP" /> -->
> <!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
> <!-- <policy domain="coder" rights="none" pattern="MSL" /> -->
> <!-- <policy domain="coder" rights="none" pattern="TEXT" /> -->
> <!-- <policy domain="coder" rights="none" pattern="LABEL" /> -->
> <!-- <policy domain="path" rights="none" pattern="@*" /> -->
> </policymap>
>
> Then see if your script works. If it does, then we know the modified
> policies are responsible and that they are more restrictive than you
> need them to be.
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
More information about the Blueonyx
mailing list