Last Comment Bug 1269793 - Add a note on bugzilla.org that admins should either update ImageMagick (due to CVE-2016-3714) or disable the BmpConvert extension
: Add a note on bugzilla.org that admins should either update ImageMagick (due ...
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: bugzilla.org (show other bugs)
: 4.4
: Unspecified Unspecified
P1 normal (vote)
: ---
Assigned To: David Lawrence [:dkl]
: default-qa
:
Mentors:
Depends on:
Blocks: 1269795
  Show dependency treegraph
 
Reported: 2016-05-03 10:02 PDT by Dylan Hardison [:dylan]
Modified: 2016-05-16 13:55 PDT (History)
2 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description User image Dylan Hardison [:dylan] 2016-05-03 10:02:49 PDT
https://medium.com/@rhuber/imagemagick-is-on-fire-cve-2016-3714-379faf762247#.kqh5svaq0

> If you use ImageMagick or an affected library, we recommend you mitigate the
> known vulnerabilities by doing at least one these two things (but preferably
> both!):

> Verify that all image files begin with the expected “magic bytes”
> corresponding to the image file types you support before sending them to
> ImageMagick for processing. (see FAQ for more info) Use a policy file to
> disable the vulnerable ImageMagick coders. The global policy for ImageMagick
> is usually found in “/etc/ImageMagick”. This policy.xml example will disable
> the coders EPHEMERAL, URL, MVG, and MSL.

> https://gist.githubusercontent.com/rawdigits/d73312d21c8584590783a5e07e124723/raw/d3232a3958d8a26adcce53dfa2413b42623ca4b8/policy.xml
Comment 1 User image Dylan Hardison [:dylan] 2016-05-03 13:47:47 PDT
What is the procedure for this? BMO is responding by disabling the BmpConvert extension. We should inform other sites that they need to do the same or take steps apply the config noted in comment #0.
Comment 2 User image Frédéric Buclin 2016-05-03 15:50:16 PDT
All we should do is to add a note to the release notes, or even not do anything. It's not our job to inform other admins about security vulnerabilities discovered in modules Bugzilla uses. And we also cannot blacklist older versions, because many Linux distros already backport security patches.
Comment 3 User image Adam Muntner [:adamm] (use NEEDINFO) 2016-05-05 17:04:49 PDT

*** This bug has been marked as a duplicate of bug 1269836 ***
Comment 4 User image Adam Muntner [:adamm] (use NEEDINFO) 2016-05-05 17:07:11 PDT
(In reply to Frédéric Buclin from comment #2)
> All we should do is to add a note to the release notes, or even not do
> anything. It's not our job to inform other admins about security
> vulnerabilities discovered in modules Bugzilla uses. And we also cannot
> blacklist older versions, because many Linux distros already backport
> security patches.

Frederic, if you run into a bug in a module that Bugzilla uses, please notify me, preferably with a needinfo on the bug. I'm working on putting that kind of coordination in place.
Comment 5 User image Frédéric Buclin 2016-05-05 18:19:18 PDT
This bug is for upstream, not bmo.
Comment 6 User image Daniel Veditz [:dveditz] 2016-05-06 10:32:10 PDT
(In reply to Frédéric Buclin from comment #5)
> This bug is for upstream, not bmo.

yeah, we have bug 1269795 for BMO. But in comment 2 it sounded like you said "Bugzilla" shouldn't do anything so that's probably why Adam closed the bug.
Comment 7 User image Frédéric Buclin 2016-05-06 10:41:05 PDT
Well, as I cannot see bug 1269836, and Adam is not involved in upstream Bugzilla, marking this bug as a dupe sounded wrong anyway. :)
Comment 8 User image David Lawrence [:dkl] 2016-05-16 11:40:29 PDT
Opening this up as it is not tied to any specific release of Bugzilla.
Comment 9 User image Frédéric Buclin 2016-05-16 13:54:47 PDT
A note has been added on the bugzilla.org website recommending admins to make sure their version of ImageMagick is up-to-date or to disable the BmpConvert extension.

Note You need to log in before you can comment on or make changes to this bug.