ImageMagick CVE-2016–3714

levlaz · May 3, 2016, 6:04pm

Hi friends!

Just wanted to give everyone a heads up. As you may have heard there is a nasty CVE related to the ImageMagick library that allows for remote code execution. Moved. CLICK HERE - Ryan Huber - Medium

Discourse uses this library, protecting yourself is pretty simple. We are using v1.5.1 stable (so the file locations may be different depending on your version).

SSH into your discourse server and go to where your discourse installation is
./launcher enter app
Edit the policy.xml file vim /usr/local/etc/ImageMagick-6/policy.xml

Add the following to the policy map:

<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
</policymap>

Save the file

You should now be protected. It usually takes a bit of time to get patches done upstream so this is the best thing that you can do to protected your self hosted discourse site.

AFAIK this container is blown away and recreated each time you upgrade, so be sure to do this each time you upgrade until there is an upstream patch.

codinghorror · May 3, 2016, 6:07pm

Yes, thanks! I saw this a bit earlier and already brought it to the attention of @zogstrip

The more useful check is to verify that images are images by checking initial bytes, and I believe we already do this?

Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing. (see FAQ for more info)

zogstrip · May 3, 2016, 7:55pm

Thanks @levlaz for the heads up

We used ImageMagick’s identify for that… So I changed it to use FastImage instead

The real fix though is to update our base image with the latest version of ImageMagick. But I don’t think they released a fixed version yet. cc @sam

mpalmer · May 3, 2016, 11:11pm

No, it looks like one is expected “by the weekend”: ImageMagick Security Issue - Legacy ImageMagick Discussions Archive (apologies for linking to a Lesser Forum… )

What we can do in the meantime is deploy the modified policy.xml by default everywhere. I believe @sam is working on an updated image as I type.

sam · May 3, 2016, 11:35pm

Fixed per:

https://github.com/discourse/discourse_docker/commit/d47aa69bb72dea153b6901866bb66afe2cca6915

I will also rebuild the entire image next week when Image Magick do a new point release.

To take advantage of the fix:

cd /var/discourse
./launcher rebuild app

Topic		Replies	Views
ImageMagick is not installed on my server (one more) Bug	6	1415	February 13, 2015
ImageMagick missing? Support	3	1467	February 6, 2015
Imgur images broken Support	18	4891	June 17, 2020
How to install ImageMagick 7 in Ubuntu for Development Dev	0	2364	August 15, 2018
Try to force https instead of downloading remote images Feature	13	2716	July 9, 2015

ImageMagick CVE-2016–3714

Related Topics