Add a note on bugzilla.org that admins should either update ImageMagick (due to CVE-2016-3714) or disable the BmpConvert extension

RESOLVED FIXED

Status

()

Bugzilla
bugzilla.org
P1
normal
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: dylan, Assigned: dkl)

Tracking

Details

(Reporter)

Description

a year ago
https://medium.com/@rhuber/imagemagick-is-on-fire-cve-2016-3714-379faf762247#.kqh5svaq0

> If you use ImageMagick or an affected library, we recommend you mitigate the
> known vulnerabilities by doing at least one these two things (but preferably
> both!):

> Verify that all image files begin with the expected “magic bytes”
> corresponding to the image file types you support before sending them to
> ImageMagick for processing. (see FAQ for more info) Use a policy file to
> disable the vulnerable ImageMagick coders. The global policy for ImageMagick
> is usually found in “/etc/ImageMagick”. This policy.xml example will disable
> the coders EPHEMERAL, URL, MVG, and MSL.

> https://gist.githubusercontent.com/rawdigits/d73312d21c8584590783a5e07e124723/raw/d3232a3958d8a26adcce53dfa2413b42623ca4b8/policy.xml
(Reporter)

Updated

a year ago
Blocks: 1269795
(Reporter)

Comment 1

a year ago
What is the procedure for this? BMO is responding by disabling the BmpConvert extension. We should inform other sites that they need to do the same or take steps apply the config noted in comment #0.

Comment 2

a year ago
All we should do is to add a note to the release notes, or even not do anything. It's not our job to inform other admins about security vulnerabilities discovered in modules Bugzilla uses. And we also cannot blacklist older versions, because many Linux distros already backport security patches.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1269836
(In reply to Frédéric Buclin from comment #2)
> All we should do is to add a note to the release notes, or even not do
> anything. It's not our job to inform other admins about security
> vulnerabilities discovered in modules Bugzilla uses. And we also cannot
> blacklist older versions, because many Linux distros already backport
> security patches.

Frederic, if you run into a bug in a module that Bugzilla uses, please notify me, preferably with a needinfo on the bug. I'm working on putting that kind of coordination in place.

Comment 5

a year ago
This bug is for upstream, not bmo.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
(In reply to Frédéric Buclin from comment #5)
> This bug is for upstream, not bmo.

yeah, we have bug 1269795 for BMO. But in comment 2 it sounded like you said "Bugzilla" shouldn't do anything so that's probably why Adam closed the bug.

Comment 7

a year ago
Well, as I cannot see bug 1269836, and Adam is not involved in upstream Bugzilla, marking this bug as a dupe sounded wrong anyway. :)
(Assignee)

Comment 8

a year ago
Opening this up as it is not tied to any specific release of Bugzilla.
Group: bugzilla-security

Updated

a year ago
Component: Bugzilla-General → bugzilla.org

Comment 9

a year ago
A note has been added on the bugzilla.org website recommending admins to make sure their version of ImageMagick is up-to-date or to disable the BmpConvert extension.
Assignee: dylan → dkl
Status: REOPENED → RESOLVED
Last Resolved: a year agoa year ago
Resolution: --- → FIXED

Updated

a year ago
Summary: ImageMagick Is On Fire — CVE-2016-3714 → Add a note on bugzilla.org that admins should either update ImageMagick (due to CVE-2016-3714) or disable the BmpConvert extension
You need to log in before you can comment on or make changes to this bug.