Closed
Bug 1269795
Opened 8 years ago
Closed 8 years ago
[BMO] ImageMagick Is On Fire (CVE-2016-3714)
Categories
(bugzilla.mozilla.org :: General, defect, P1)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dylan, Assigned: dylan)
References
Details
Attachments
(1 file)
4.70 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1269793 +++ https://medium.com/@rhuber/imagemagick-is-on-fire-cve-2016-3714-379faf762247#.kqh5svaq0 > If you use ImageMagick or an affected library, we recommend you mitigate the > known vulnerabilities by doing at least one these two things (but preferably > both!): > Verify that all image files begin with the expected “magic bytes” > corresponding to the image file types you support before sending them to > ImageMagick for processing. (see FAQ for more info) Use a policy file to > disable the vulnerable ImageMagick coders. The global policy for ImageMagick > is usually found in “/etc/ImageMagick”. This policy.xml example will disable > the coders EPHEMERAL, URL, MVG, and MSL. > https://gist.githubusercontent.com/rawdigits/d73312d21c8584590783a5e07e124723/raw/d3232a3958d8a26adcce53dfa2413b42623ca4b8/policy.xml
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(klibby)
Assignee | ||
Comment 1•8 years ago
|
||
woops, I meant to add: fubar: Can we apply the policy file/config change to all the webheads, including in AWS? I'm keen to prevent remote code executions in either environment.
Comment 2•8 years ago
|
||
(In reply to Dylan William Hardison [:dylan] from comment #0) > > The global policy for ImageMagick is usually found in “/etc/ImageMagick”. lol, usually. do we have a way to test this vuln manually? I'd like to be able to make sure that it's disabled rather than assuming I've put it in the right place.
Comment 3•8 years ago
|
||
also, /cc :gozer for his input on AWS
Flags: needinfo?(klibby) → needinfo?(gozer)
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → dylan
Assignee | ||
Comment 4•8 years ago
|
||
Attachment #8748348 -
Flags: review?(dkl)
Comment 5•8 years ago
|
||
Comment on attachment 8748348 [details] [diff] [review] 1269795_1.patch Review of attachment 8748348 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8748348 -
Flags: review?(dkl) → review+
Comment 6•8 years ago
|
||
Instead of deleting the whole extension, you could simply put extensions/BmpConvert/disabled to disable it. This way, when your ImageMagick module is updated, you can re-enable the extension.
Assignee | ||
Comment 7•8 years ago
|
||
I'm going to re-add the functionality using something other than image magick.
Comment 8•8 years ago
|
||
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 3484d75..5a9a4e8 master -> master
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Comment 10•8 years ago
|
||
(In reply to Dylan William Hardison [:dylan] from comment #7) > I'm going to re-add the functionality using something other than image > magick. does this mean we can remove the imagemagick packages altogether?
Assignee | ||
Comment 11•8 years ago
|
||
(In reply to Kendall Libby [:fubar] from comment #10) > (In reply to Dylan William Hardison [:dylan] from comment #7) > > I'm going to re-add the functionality using something other than image > > magick. > > does this mean we can remove the imagemagick packages altogether? Yes[1] we should kill them with fire. [1] a quick check to make sure nothing else is using it should be done.
Comment 12•8 years ago
|
||
It was installed as part of the bugzilla puppet module, so only BMO would have been using it. I've removed it across the board.
Updated•8 years ago
|
Flags: needinfo?(gozer)
You need to log in
before you can comment on or make changes to this bug.
Description
•