Closed
Bug 1269795
Opened 8 years ago
Closed 8 years ago
[BMO] ImageMagick Is On Fire (CVE-2016-3714)
Categories
(bugzilla.mozilla.org :: General, defect, P1)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dylan, Assigned: dylan)
References
Details
Attachments
(1 file)
|
4.70 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1269793 +++ https://medium.com/@rhuber/imagemagick-is-on-fire-cve-2016-3714-379faf762247#.kqh5svaq0 > If you use ImageMagick or an affected library, we recommend you mitigate the > known vulnerabilities by doing at least one these two things (but preferably > both!): > Verify that all image files begin with the expected “magic bytes” > corresponding to the image file types you support before sending them to > ImageMagick for processing. (see FAQ for more info) Use a policy file to > disable the vulnerable ImageMagick coders. The global policy for ImageMagick > is usually found in “/etc/ImageMagick”. This policy.xml example will disable > the coders EPHEMERAL, URL, MVG, and MSL. > https://gist.githubusercontent.com/rawdigits/d73312d21c8584590783a5e07e124723/raw/d3232a3958d8a26adcce53dfa2413b42623ca4b8/policy.xml
|
Assignee | |
Updated•8 years ago
|
Flags: needinfo?(klibby)
|
|
Assignee | |
Comment 1•8 years ago
|
||
woops, I meant to add: fubar: Can we apply the policy file/config change to all the webheads, including in AWS? I'm keen to prevent remote code executions in either environment.
|
||
Comment 2•8 years ago
|
||
(In reply to Dylan William Hardison [:dylan] from comment #0) > > The global policy for ImageMagick is usually found in “/etc/ImageMagick”. lol, usually. do we have a way to test this vuln manually? I'd like to be able to make sure that it's disabled rather than assuming I've put it in the right place.
|
|
||
Comment 3•8 years ago
|
||
also, /cc :gozer for his input on AWS
Flags: needinfo?(klibby) → needinfo?(gozer)
|
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → dylan
|
|
Assignee | |
Comment 4•8 years ago
|
||
Attachment #8748348 -
Flags: review?(dkl)
|
||
Comment 5•8 years ago
|
||
Comment on attachment 8748348 [details] [diff] [review] 1269795_1.patch Review of attachment 8748348 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8748348 -
Flags: review?(dkl) → review+
|
||
Comment 6•8 years ago
|
||
Instead of deleting the whole extension, you could simply put extensions/BmpConvert/disabled to disable it. This way, when your ImageMagick module is updated, you can re-enable the extension.
|
|
Assignee | |
Comment 7•8 years ago
|
||
I'm going to re-add the functionality using something other than image magick.
|
|
||
Comment 8•8 years ago
|
||
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 3484d75..5a9a4e8 master -> master
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
|
||
Comment 10•8 years ago
|
||
(In reply to Dylan William Hardison [:dylan] from comment #7) > I'm going to re-add the functionality using something other than image > magick. does this mean we can remove the imagemagick packages altogether?
|
|
Assignee | |
Comment 11•8 years ago
|
||
(In reply to Kendall Libby [:fubar] from comment #10) > (In reply to Dylan William Hardison [:dylan] from comment #7) > > I'm going to re-add the functionality using something other than image > > magick. > > does this mean we can remove the imagemagick packages altogether? Yes[1] we should kill them with fire. [1] a quick check to make sure nothing else is using it should be done.
|
|
||
Comment 12•8 years ago
|
||
It was installed as part of the bugzilla puppet module, so only BMO would have been using it. I've removed it across the board.
|
||
Updated•8 years ago
|
Flags: needinfo?(gozer)
You need to log in
before you can comment on or make changes to this bug.
Description
•