ImageMagick CVE-2016–3714

Hi friends!

Just wanted to give everyone a heads up. As you may have heard there is a nasty CVE related to the ImageMagick library that allows for remote code execution. Moved. CLICK HERE - Ryan Huber - Medium

Discourse uses this library, protecting yourself is pretty simple. We are using v1.5.1 stable (so the file locations may be different depending on your version).

  1. SSH into your discourse server and go to where your discourse installation is

  2. ./launcher enter app

  3. Edit the policy.xml file vim /usr/local/etc/ImageMagick-6/policy.xml

  4. Add the following to the policy map:

    <policymap>
      <policy domain="coder" rights="none" pattern="EPHEMERAL" />
      <policy domain="coder" rights="none" pattern="URL" />
      <policy domain="coder" rights="none" pattern="HTTPS" />
      <policy domain="coder" rights="none" pattern="MVG" />
      <policy domain="coder" rights="none" pattern="MSL" />
    </policymap>
    
  5. Save the file

You should now be protected. It usually takes a bit of time to get patches done upstream so this is the best thing that you can do to protected your self hosted discourse site.

AFAIK this container is blown away and recreated each time you upgrade, so be sure to do this each time you upgrade until there is an upstream patch.

13 Likes

Yes, thanks! I saw this a bit earlier and already brought it to the attention of @zogstrip

The more useful check is to verify that images are images by checking initial bytes, and I believe we already do this?

Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing. (see FAQ for more info)

6 Likes

Thanks @levlaz for the heads up :thumbsup:

We used ImageMagick’s identify for that… So I changed it to use FastImage instead :wink:

https://github.com/discourse/discourse/commit/df14926e42dd6223c3ee73ff24e61140b83a50bc

The real fix though is to update our base image with the latest version of ImageMagick. But I don’t think they released a fixed version yet. cc @sam

11 Likes

No, it looks like one is expected “by the weekend”: ImageMagick Security Issue - ImageMagick (apologies for linking to a Lesser Forum… :grinning:)

What we can do in the meantime is deploy the modified policy.xml by default everywhere. I believe @sam is working on an updated image as I type.

5 Likes

Fixed per:

https://github.com/discourse/discourse_docker/commit/d47aa69bb72dea153b6901866bb66afe2cca6915

I will also rebuild the entire image next week when Image Magick do a new point release.

To take advantage of the fix:

cd /var/discourse
./launcher rebuild app
21 Likes