ImageMagick CVE-2016–3714

(Lev Lazinskiy) #1

Hi friends!

Just wanted to give everyone a heads up. As you may have heard there is a nasty CVE related to the ImageMagick library that allows for remote code execution. Moved. CLICK HERE – Ryan Huber – Medium

Discourse uses this library, protecting yourself is pretty simple. We are using v1.5.1 stable (so the file locations may be different depending on your version).

  1. SSH into your discourse server and go to where your discourse installation is

  2. ./launcher enter app

  3. Edit the policy.xml file vim /usr/local/etc/ImageMagick-6/policy.xml

  4. Add the following to the policy map:

      <policy domain="coder" rights="none" pattern="EPHEMERAL" />
      <policy domain="coder" rights="none" pattern="URL" />
      <policy domain="coder" rights="none" pattern="HTTPS" />
      <policy domain="coder" rights="none" pattern="MVG" />
      <policy domain="coder" rights="none" pattern="MSL" />
  5. Save the file

You should now be protected. It usually takes a bit of time to get patches done upstream so this is the best thing that you can do to protected your self hosted discourse site.

AFAIK this container is blown away and recreated each time you upgrade, so be sure to do this each time you upgrade until there is an upstream patch.

(Jeff Atwood) #2

Yes, thanks! I saw this a bit earlier and already brought it to the attention of @zogstrip

The more useful check is to verify that images are images by checking initial bytes, and I believe we already do this?

Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing. (see FAQ for more info)

(Régis Hanol) #3

Thanks @levlaz for the heads up :thumbsup:

We used ImageMagick’s identify for that… So I changed it to use FastImage instead :wink:

The real fix though is to update our base image with the latest version of ImageMagick. But I don’t think they released a fixed version yet. cc @sam

(Matt Palmer) #4

No, it looks like one is expected “by the weekend”: ImageMagick Security Issue - ImageMagick (apologies for linking to a Lesser Forum… :grinning:)

What we can do in the meantime is deploy the modified policy.xml by default everywhere. I believe @sam is working on an updated image as I type.

(Sam Saffron) #5

Fixed per:

I will also rebuild the entire image next week when Image Magick do a new point release.

To take advantage of the fix:

cd /var/discourse
./launcher rebuild app

Vulnerable to ImageMagic RCE, CVE-2016–3714?
How to move from standalone container to separate web and data containers
Image magic policy file in discourse git for non Docker installs
(Sam Saffron) #6

(Alan Tan) #7